cacroll
Eventually, Prozac becomes normal
Premium
join:2002-07-25
Martinez, CA
| AOL and Personal Firewalls
I've seen occasional references, recently, about AOL and how having it on your computer may cause your personal firewall to be bypassed. Most references were theory, pointing out that Bring Your Own AOL would setup a VPN between your computer and the AOL servers, thru your regular ISP and the Internet.
Today, SANS has an article about an actual case where an AOL connection caused contamination of someone's workplace network, starting with their personal firewall having been bypassed by the AOL VPN.
»isc.sans.org/diary.php?date=2005-07-25
--
Cheers,
Chuck
MS-MVP [Windows - Networking]
PChuck's Network |
|
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire
| from link
"..
Make sure you know what software you have installed on your computer and how it is configured. Defense-in-depth doesn't help if you have provided an access path that bypasses all of your defenses. ..."
Brilliant story!
Cudni
--
Think locally, @#!? globally!Help yourself so God can help you |
|
cacroll
Eventually, Prozac becomes normal
Premium
join:2002-07-25
Martinez, CA
| said by Cudni  :from link ".. Make sure you know what software you have installed on your computer and how it is configured. Defense-in-depth doesn't help if you have provided an access path that bypasses all of your defenses. ..." Brilliant story! Cudni
With articles like the Bouncing Malware series, and this one, the SANS/ISC RSS feed stays at the top of my feed list.
Now to alert all of my friends with AOL...
--
Cheers,
Chuck
MS-MVP [Windows - Networking]
PChuck's Network |
|
NetWatchMan
Premium,VIP
join:2001-03-13
Alpharetta, GA
| reply to cacroll
Here is my very old analysis of this issue:
»www.mynetwatchman.com/kb/securit···ndex.htm
"Behind the scenes, the AOL client creates a VPN-like (Virtual Private Network) tunnel to one of AOLs gateways. This tunnel consists of a client-initiated TCP connection to port 5190 on the AOL gateway. The AOL "adapter" (a special virtual network interface) is now assigned a second IP address from AOLs network ranges...and here is the critical issue...it's a public IP address (e.g. 172.155.112.173) which is directly accessible by ALL Internet users. "
I have NOT rechecked against current AOL clients to verify that the same issues exist today.
--
Lawrence Baldwin
myNetWatchman
The Internet Neighborhood Watch |
|
AOLLOL
@dynamic-dialup.coret | reply to cacroll
i smell cake |
|
Oleg
Bellsouth Fastaccess
Premium
join:2003-12-08
Birmingham, AL | reply to cacroll
AOL Is very insecure. |
|
cacroll
Eventually, Prozac becomes normal
Premium
join:2002-07-25
Martinez, CA
1 edit | reply to NetWatchMan
Thanks, Lawrence. I knew I'd read something previously about this problem; apparently the unnamed employee at the unnamed company hadn't though.
Will you be updating your article, to verify the current situation? Obviously it's still relevant.
--
Cheers,
Chuck
MS-MVP [Windows - Networking]
PChuck's Network |
|
cacroll
Eventually, Prozac becomes normal
Premium
join:2002-07-25
Martinez, CA | reply to AOLLOL
said by AOLLOL:
i smell cake
I love cake.  |
|
MagMan
Life is simpler when you tell the truth.
Premium
join:2003-10-01
Westlake, OH
 ·AT&T Midwest
·AT&T Midwest
| said by cacroll :said by AOLLOL:
i smell cake
I love cake. Don't you just love that commercial:p
--
"The truth is incontrovertible, malice may attack it, ignorance may deride it, but in the end; there it is." |
|
Libra
Premium
join:2003-08-06
USA
| reply to NetWatchMan
NetWatchman,
In the link you provided you said:
"# If Sally's PC is vulnerable to the attack, it will then send response packets to the attacker, thus establishing two-way communication with the attacker, despite being protected by a firewall!
# An interesting side-note, is that the response traffic is routed as non-AOL traffic would be (e.g. it does NOT return through the AOL VPN)...the reason is the attacker is most likely NOT an AOL IP address so traffic will routed as normal non-AOL traffic..e.g. go directly back through the corporate firewall."
I have always wondered why I see Remote Control Connections in the Event Viewer when a connection is established with AOL. I also see the IP addresses 192.168.xx.xx and 172.xxx.xxx.xx in ZA's firewall Zones. I knew it was related to AOL and now I realize it's the VPN connection.
I have the NAT firewall router for dsl set up not to respond to pings and both computers are fully updated and have ZA running (although the NAT firewall gets things before they reach ZA.) ZA does block pings and TCP packets to the AOL IP address. Since I have the NAT firewall set up not to respond to pings will that prevent the computer from sending out response packets and avoid an attack of this nature, or does the 172.xxx.xxx.xx send out a response packet on it's own? (I think ZA is preventing this as is it blocking those pings and TCP packets.)
When I go to Shields Up it sees the NAT public address and all is stealth and no packets are returned.
Thank you.
Sincerely, Libra |
|
Oleg
Bellsouth Fastaccess
Premium
join:2003-12-08
Birmingham, AL | reply to cacroll
You don't have to worry about viruses with AOL  |
|
cacroll
Eventually, Prozac becomes normal
Premium
join:2002-07-25
Martinez, CA
| said by Oleg :You don't have to worry about viruses with AOL
I don't worry about AOL - I don't use it. But I know folks who do use it, and they need to worry. Having read the SANS article anyway.
--
Cheers,
Chuck
MS-MVP [Windows - Networking]
PChuck's Network |
|
