how did he do this? i mean, how did he configure it to not send clear text passwords? I can understand if he blocked outgoing ports 21 and 23 as these (ftp and telnet) use clear text passwords, but that will create problems because you could not even get to anonymous ftp sites then. What about web forms - these are usually clear text, how did he block that? I have setup firewalls before, but have never tried to get the to block based on content. i just dont see how it could be done. you would be adding rules to the firewall constantly. im sure media player and some other programs do phone home when they are fired up, media player and winamp do this (along with some other instant messaging programs) to see if newer programs are available. i would be interested to know how your friend is firewalling based on content. On Fri, 5 Oct 2001, Ray Dillinger wrote:
Recently, a friend of mine (who actually runs BSD, and has one windows box behind his firewall) observed something and warned me about it, and I thought I should pass the warning along.
My friend Chris had set up his windows box, but, being more than usually sensible, he configured his firewall to check *OUTGOING* packets and filter them on content -- specifically, not allowing packets to go out if they contained identifying information about his windows machine or the software installed on it, or cleartext passwords.
This is good practice simply because if something behind your firewall gets infected, odds are that it's going to try to send out lots and lots of packets, or report configuration/passwords/etc back to its creator, and a well-configured firewall is supposed to stop it.
But when he started up Media Player, the firewall, in his words, "lit up like a christmas tree." As it turns out there are some windows applications that "phone home" with information you'd really rather not have people outside your firewall pawing through, including passwords in cleartext, lists of software installed, etc. And media player is one such.
Increasingly, as commercial and closed-source software for linux becomes available, monitoring for this kind of abuse will become even more relevant. It seems that it's already quite a problem if you run windows boxes behind your firewall.
So set up a good firewall that filters outgoing packets on content, as well as incoming packets on port number.
Bear
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Chad Whitten Network/Systems Administrator neXband Communications chadwick@nexband.com