General discussion


Prevent service masquerading on networks

By debate ·
What types of firewalls have you deployed on your organization's network? Are you familiar with the threat of service masquerading? How much of a threat do you feel service masquerading presents to organizations? Share your comments about preventing service masquerading on your network, as discussed in the Aug. 16 Internet Security Focus e-newsletter.

If you haven't subscribed to our free Internet Security Focus e-newsletter, sign up today! Click this link to subscribe automatically:

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

Sysinternals TCPView

by abme75 In reply to Prevent service masquerad ...

I use the WRT54g firewall and TCPView to see if there's any masquerading.

Update: August 9
A lot of people have asked for it so here it is: a command-line version of Tcpview that works on NT 4 and higher and shows TCP and UDP endpoints with the owning process names.

Collapse -

New Technology makes this a non-issue.

by Praetorpal In reply to Sysinternals TCPView

While defending a corporate network from this type of activity isn't currently possible...

Actually it can be, easily. If you wish to see a new product that does so, go to It is commercial and in the enterprise space, but it protects against all system attacks, period, by converting a Linux system into a trusted operating system. Can be integrated with any platform.

Collapse -

Border rules and host-based firewalls

by mgordon In reply to Prevent service masquerad ...

Many worms behave in this manner, converting desktop PC's into servers of one kind or another. A simple approach is to separate client functions into one or more machines, and server functions into one or more machines. Worms nearly always enter via client function and exit via server function so if you establish at the border that incoming connection requests can ONLY go to the appropriate server, and outgoing connection requests (clients) can only come from workstations (except those annoying automatic updates to hippity-hop ever changing IP addresses) you can pull the teeth out of many worms.

Collapse -

Sending Data Outbound

by Harold.J.Ballinger In reply to Prevent service masquerad ...

In my opinion, sending data outbound is fairly easy without attempting to exploit DNS as this article mentions. Even if I am on a network that is proxied, does not allow any outbound connections from client machines, and hosts only internal DNS servers, I can still send data out to the internet that would look like simple browser forms submissions to any proxy server. For example, by performing a simple binary to ascii conversion, I should be able to submit any data via a html forms submission to an internet website. This is easily hidden even without the use of SSL, but tack on the ease of setting up an SSL website with a forms submission page, and I can send a great deal of data by this medium. Passing confidential data "on top" of protocols is really not that new of a concept, but it can be extremely effective.

The only real way to combat exposure of confidential data by internal personel is to keep your people content and to only give access to those that really need the information. With the advances in technology in the short future, I wonder how many "secrets" there really will be out there. The ease of transferring and accessing data in this new digital age may change our ideas about the value and ownership of "information".

Related Discussions

Related Forums