BayLISA - July 15, 2004 - Mark Langston's Through a Sniffer Darkly

Wed Jul 21 15:55:12 PDT 2004

On Wed, Jul 21, 2004 at 10:35:34AM -0700, Jennifer Davis wrote:
> I was really impressed by Mark's presentation in how he built from common 
> well known ground of firewalls and IDS to the point of showing his 
> software and the data hidden within the actual headers.  I could see how 
> with an improved version of Mark's software, anyone within a company could 
> compromise any data outwards and how difficult it would be to prevent this 
> let alone track down the responsible person. 

We shouldn't overstate the case.  Mark wrote a sweet piece of software, but
in any real world implementation it's got some limitations especially when
traversing networks.

Mark's software requires the sender to be able to get UDP packets on the
network of the recipient.  There is one, and only one, case where you're
practically guaranteed this will be allowed:  When the recipient and sender
are on the same network.  

There are numerous ways one could (and in some cases should) block outbound
packets generated by Mark's software:
1. A reasonable sysadmin must block outbound packets that are not actually
coming from its own IP address space; 
2. A reasonable sysadmin should, if they're concerned about security, do
internal filtering to ensure people can't IP-spoof across internal
networks; 
3. A reasonable case can be made that one should not allow inbound/outbound
UDP packets from desktop systems; 
4. Most reasonably-locked-down proxy systems will make this problem go away
(at my last work, the number of people who could go to the outside world
without having to go through an authenticating proxy that ONLY did HTTP
could be counted on the fingers of two hands after a bloody machine shop
accident).

-roy