[CentOS] firewall?

Sun Jul 17 08:24:39 UTC 2011
Ljubomir Ljubojevic <office at plnet.rs>

Keith Roberts wrote:
> On Sat, 16 Jul 2011, Keith Roberts wrote:
> 
>> To: CentOS mailing list <centos at centos.org>
>> From: Keith Roberts <keith at karsites.net>
>> Subject: Re: [CentOS] firewall?
>>
>> On Sat, 16 Jul 2011, Ljubomir Ljubojevic wrote:
>>
>> *snip*
>>
>>>  I wrote about "physical presence *outside* of your network", like if
>>>  you
>>>  are on a large WISP that uses bridged network (bad design) and your
>>>  Wireless client is bridged, and you have single NIC firewall in place,
>>>  entire WISP's network will be able to sniff your traffic and hack into
>>>  unprotected workstations/desktops. And there are those scenarios, much
>>>  more then you can think.
>> Which is why one poster mentioned that you need to be familiar with 
>> IPtables and Networking before trying to make your machine(s) network(s) 
>> secure?
>>
>> I read some time ago something about tunneling different protocols 
>> through firewalls? which sounded quite scary.
> 
> This is what I was refering to:
> 
> Data Driven Attacks Using HTTP Tunneling
> 
> "... HTTP Tunneling Example
> 
> HTTP tunneling can be used to access ports that are 
> normally inaccessible from a network. Consider Figure 1 
> below. The attacker's host is shown on the left with the 
> target systems on the right. The router at the edge has the 
> following policies:"
> 
> http://www.symantec.com/connect/articles/data-driven-attacks-using-http-tunneling
> 
> Sounds a bit scary to me, as any website needs to have port 
> 80 open to allow access to that website.
> 

That example is based on the premise that attacker will exploit existing 
security bug/hole to gain access to the system. And they refer in that 
article to IIS (Micro$oft Web server, with holes like swiss cheese).

If you check the frequency of Apache (httpd) security bugs on CentOS 
5.x, I think you will see several Denial Of Service bugs, but only one 
or two that would allow code execution. And bug reports for Apache are 
made to secure mailing list so rest of the world is not aware of them 
until they are already fixed.

So I would not be overly concerned about HTTP tunneling attacks.

Ljubomir