Leon, What you are talking about is checking the packets if they are REAL http if they are going thru port 80 then you will be dissapointed.
What you can do on Checkpoint (dont know if pix can do it) is authenticate on http connections and point to somesort of CVP server that checks traffic going to the internet from the internal network. This way the CVP server can check IP packets for all kind of stuff (depends on the CVP server ofcourse) and may deny packets that arent http packets This makes it more difficult to use port 80 through firewalls but if you can do some serious firewall piercing you may find an other port that is open and connect thru that port to the internet with netcat. Basically it depends if they use plain and simple stateful inspection or does some more application filtering of traffic. A normal Checkpoint or PIX firewall allowing port 80 is vulnerable, if they use somekind of proxy or CVP its not so easy to connect with netcat to the ourside. What I also advice to network admins is only allow http traffic outbound by the proxy (if you use one what I would advice to always use anyway) only... dont allow http traffic originating from the clients out ! Regards, Brenno > -----Original Message----- > From: leon [SMTP:[EMAIL PROTECTED]] > Sent: donderdag 7 februari 2002 3:20 > To: [EMAIL PROTECTED] > Subject: basic stateful inspection question > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > It seems to me that a lot of people use either nat or pat and that > these types of firewalls > by default drop unsolicited connection attempts (meaning packets that > arrive with the syn bit set). > Any packet that leaves the network is put in the state table so that > the return packets can come back in. > My question is this; if I were to exploit a client-side buffer > overflow and I got the system to make a > connection to me via netcat with a destination port of 80, would I > circumvent a majority of the stateful > inspection firewalls? It seems that these firewalls trust that ALL > connections originating from the > inside are good. Now I know we could block off destination ports of > services we don't want to allow > access to (say no port 23 traffic leaves the network because we don't > allow telnet) but I am wondering > if either of these firewalls have a method of filtering based on > protocol (for example allow 80 to be > a destination port but only http traffic can cross it. No netcat, no > aim, no limewire just http. > > I have seen a ton of networks where I came in and I found people > using things like aim even though > the firewall specifically only permitted port 80 traffic out > (obviously these people switched the port > from 5190 to 80). >
