[Search for users] [Overall Top Noters] [List of all Conferences] [Download this site]

Conference gyro::internet_toolss

Title:Internet Tools
Notice:Report ALL NETSCAPE Problems directly to kdlucas@netscape.com.rnet? Read note 448.L for beginner information.
Moderator:teco.mro.dec.com::tecotoo.mro.dec.com::mayer
Created:Fri Jun 25 1993
Last Modified:Fri Jun 06 1997
Last Successful Update:Fri Jun 06 1997
Number of topics:4714
Total number of notes:40609

4436.0. "File PUSH from inside firewall??" by CHEFS::AYLESBURY_L () Fri Jan 31 1997 12:47

Also posted in NOTED::SEAL
    
I have a request from a customer asking for an audit trail of a file transfer 
through a firewall. He is concerned that people on the inside of the firewall 
can push files outside using an unlogged mechanism (unlike uuencoded files 
attached to mail messages that are logged in mail.log).

The method goes like this:

1 The customer connects to www.hotmail.com from his Netscape browser.
2 He logs into his hotmail account.
3 He composes a mail and then clicks the ATTACH button.
4 He then gets a pop-up window allowing him to select a local system file to 
  attach.
5 He selects a file and confirms the attachment.

The message can then be sent from the hotmail account with the file attached 
uuencoded.

The above works as I have tested it but I cannot find any record of the file 
being sent in any of the following log files; [mail.log, ftpxd.log, proxy-log, 
cache-log, syslog, netaccess.log and kern.log]

Can anyone tell me what method is used to transfer the file from the local 
system to the remote system outside the firewall?

Les
T.RTitleUserPersonal
Name		DateLines
4436.1BBRDGE::LOVELL� l'eau; c'est l'heureSun Feb 02 1997 16:2115
    >> Can anyone tell me what method is used to transfer the file from the
    >> local system to the remote system outside the firewall?
    
    Probably http encoded stream, but what the heck - who cares?  
    
    Your customer is fighting a losing battle.  This "loophole" through an
    external mail relay is no different than if the file had been sent
    directly by e-mail - it could just as easily have been UUencoded and 
    sent by SMTP through his standard  Internet mail relays.  Even if the
    customer has mail logging in place, a simple ZIP password would render
    the  transfer impermeable to further scrutiny.
    
    Security.  Technology is not the entire answer.
    
    /Chris/
4436.2All well and good, but...CHEFS::AYLESBURY_LMon Feb 03 1997 05:1215
    Thanks for the reply. I know that mail can have encoded files attached
    and that is the same thing as pushing files outside a firewall but what
    I really want to know is why isn't the data transfer logged anywhere.
    
    When the attachment is done using mail then the mail-log record shows
    the data transfer.
    
    The http doesn't get logged in the proxy log file nor can I find it 
    recorded anywhere. My customer is getting jumpy that people can send 
    huge files outside his company with no record of them passing.
    
    Any more ideas?
    
    Les
4436.3loggedTEMPER::kobaNoriaki.Kobayashi@tko.dec.comMon Feb 03 1997 20:0910
>    The http doesn't get logged in the proxy log file nor can I find it 
>    recorded anywhere. My customer is getting jumpy that people can send 
>    huge files outside his company with no record of them passing.

You'll be find the POST entry (to the address specified in the "compose"
page - may be a numeric address, so you cannot 'grep' it by hotmail) in
the proxy log file.


_koba
4436.4Attached file is not logged anywhere.NEWJWR::AYLESBURYLTue Feb 04 1997 08:2912
    I quite agree that the POST entry does go to the numeric ip address. I
    have tested this situation by having another DECterm running tail -f
    proxy-log to see what transactions take place.
    
    The POST entry that is returned to hotmail contains approx 2K bytes
    whereas the file I attached contained 10K bytes. So, I assume that if I
    attached a 200K file (the max allowed by hotmail.com) this POST entry
    would still be 2K bytes. 
    
    Is there no way of logging this data transfer on the firewall proxy??
                                                                       
    Les
4436.5Re-post of 4436 - any answers? Moved by ModeratorCHEFS::AYLESBURY_LMon Mar 03 1997 07:427
    Does anyone have an explaination of how data is transferred as
    described in entry 4436? 
    
    It's really quite important to find out a method of logging this 
    data as it passes through a firewall proxy.
    
    Les
4436.6Firewalls generally connection-level, not content-basedxdelta.zko.dec.com::HOFFMANSteve, OpenVMS EngineeringMon Mar 03 1997 10:5412
    
:    It's really quite important to find out a method of logging this 
:    data as it passes through a firewall proxy.

   There's likely no reliable way to record anything beyond the existence
   of the transfer, given the number of ways one can transfer information
   from inside out through a firewall.  (Unless, of course, the customer
   wants to log everything, that is...)

   Here at DIGITAL, FTP transfers outwards require additional access
   rights at the Firewall, to push files through it...