Ethereal-users: RE: [Ethereal-users] Covert Channel Detected? (Quick Follow-Up)

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Robinson, Eric" <eric@xxxxxxxxx>
Date: Fri, 5 Nov 2004 08:57:41 -0800

>I suggest Stateful inspection f traffic into you web server, simple TCP handshakes

>and state analysis will prevent fragments arriving and therefore remove this potential

 

Good idea. This server is actually in my dirty DMZ between my border Cisco 2501 without firewalling code and my actual firewall. I can move it into the firewall DMZ and thus apply stateful inspection.

 

>If using windows (post 2k) close off the ports not required on the server,

>using the advanced networks settings.

 

I’m already there.

 

>With Cisco router before server, control the flow of ports both INTO and OUT from the server,

 

I’m already there, minus the reflexive part. I do have ingress and egress filters.

 

>I personally like the TCP established ACL

 

I use that one, too.

My instinct says these are not dangerous packets, but they are mighty curious nonetheless.

 

--Eric

 

 

-----Original Message-----
From: Robinson, Eric [mailto:eric@xxxxxxxxx]
Sent: 05 November 2004 09:56
To: ethereal-users; rlug
Subject: [Ethereal-users] Covert Channel Detected? (Quick Follow-Up)

Okay, before anybody zaps me for saying "class C," I meant it is a C-sized CIDR block.

 

--

Eric Robinson

 


--
This message has been scanned for viruses and dangerous
content by the NorMAN MailScanner Service and is believed
to be clean.

The NorMAN MailScanner Service is operated by Information
Systems and Services, University of Newcastle upon Tyne.