Index: [Article Count Order] [Thread]

Date:  Sun, 22 Feb 2009 09:05:29 +1100
From:  Greg Kuhnert <greg.kuhnert (at mark)>
Subject:  [coba-e:15109] Re: Firewall traversal protocol - RFC 1928
To:  "Greg O'Lone" <bluequartzlist (at mark)>
Cc:  coba-e (at mark)
Message-Id:  <49A07AA9.2010509 (at mark)>
In-Reply-To:  <4FDC86CD-0B08-4E2C-B1AB-9BC6D44F7445 (at mark)>
References:  <95179954-0A8C-4AE5-92CA-12B46CABCE4F (at mark)> <49A06F4F.1090402 (at mark)> <4FDC86CD-0B08-4E2C-B1AB-9BC6D44F7445 (at mark)>
X-Mail-Count: 15109

Greg O'Lone wrote:
> On Feb 21, 2009, at 4:17 pm, Greg Kuhnert wrote:
>> Greg O'Lone wrote:
>>> Can anyone think of why my a user on the outside would legitimately 
>>> need to connect to my server using SOCKS Version 5 -  Firewall 
>>> traversal protocol - RFC 1928 ?
>> Are there any services that you are blocking with a firewall that he 
>> really needs to see? If not, then it appears he wants to access 
>> something. Ask him what he is actually trying to do that is not working.
> Actually, it's a new customer and I typically pull the firewall logs 
> for new users to see if there's any protocols we forgot, but having 
> done some research, it looks as though I should continue to block it. 
> This particular customer sees nothing missing right now, so we're 
> going to just leave it. I was just wondering if anyone knows of a 
> virus using this protocol or something like that.
Google search "virus through socks"

First hit was....,130061744,139206047,00.htm

In other words, if you and I can think of it, so can a virus author. 
Their assumption is that most socks proxy's are not secured and 
monitored. Socks servers can be secure if the setup and monitoring is 
not an afterthought.

|   / \   Greg Kuhnert, gkuhnert (at mark)               |
| <  o  > Compass Networks - Pointing you in the right direction      |
|   \ /   Check out our website for NuOnce module support.            |