On 2010-08-31 18:07, Jack Bates wrote:
Jeroen Massar wrote:
Jack: there are a lot more methods to infect a host than this as there are lots and lots of p2p protocols which are being used by C&C botnets. And never forgot about this very simple protocol called HTTP(S).
I agree, though let's consider HTTP. If a firewall is set to filter it, yet you are tunneling through with IPv6, you've bypassed your HTTP filters which may, among other things, provide AV protection. I recognize that there are plenty of ways to infect a machine. My concern is that teredo can bypass firewall security and relies upon host security to protect the computer. Unfortunately, not everyone utilizes host security and has dependence on network firewalls.
If you have a "firewall" which only blocks things it knows you don't have a proper firewall. The only 'firewall' that makes sense anyway is the one which is unplugged. There is always a way out of the network as long as you can have a controlled box on the outside that you can send packets to and from. Network firewalls are great for 'centralized' mitigation and trying to at least cut out most of the wrong stuff you don't want to see as an administrator, but if you are truly serious about it then you should be deploying monitoring on the hosts that are attached to your network too, just remember that a lot of people have VPN software, connect from home to that VPN and do other weird setups (Skype for instance, BitTorrent) where there are possibilities to bypass your "firewall". And indeed, there is no proper solution for that unless you create a walled garden and allow people to only connect to known services and only allow them to send minimal messages, no flash, no other cruft like images. Steganography is also so much fun, Too many ways, even per default and also if someone really wants. Only thing you can do is keep your eyes wide open and of course define what you are really trying to protect against, as one can just as well just use sneakernet to move data around. Greets, Jeroen