Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 27 subscribers
  • Views 6197 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Hidden rules and data leaking in XG

MrMuishond
On the subject of the XG firewall ‘leaking’, it’s worth mentioning DNS. XG doesn’t seem too bothered about DNS, can someone confirm if I’m correct with this scenario? If you have DNS turned on for a zone, you’re essentially allowing unmonitored 2 way data flow to any site, regardless of other rules. It goes like this: Devices in ‘LockedDownZone’ have no internet access (or highly restricted), but DNS services are turned on in XG (maybe for ntp server resolution or something, it doesn’t matter). Something in that zone wants to talk to ‘evil.com’ for command and control. The app or JavaScript uses base64 to encode the evil message, and issues several DNS queries: Message-part1-etcetcetc.evil.com Message-part2-etcetcetc.evil.com Message-part3-etcetcetc.evil.com 4x base64 chars can encode 3 bytes, so it’s quite efficient. A few dns queries could encode 1kb of data. XG happily passes these requests along to your upstream DNS, and eventually to evil.com where they can be decoded and a response sent by their authoritative server. TXT dns records can be quite large. My understanding is that Web Protection looks at http(s) and not the actual dns queries? In any case, the hidden rule problem and the lack of DNS logging (is there any? I haven’t spotted it) mean this stuff seems invisible to XG. Block traffic at night? The DNS service will still be running and resolving! If you turn off internal XG DNS you can then control traffic to an external DNS service with firewall rules, but it wasn’t immediately obvious that this should even be necessary. In my view XG’s lack of DNS protection or monitoring is a big problem. Log DNS queries and responses. Throttle them. Check for suspicious traffic. PS. Sorry about the lack of line breaks!


This thread was automatically locked due to age.
  • 0

    ATP will look at your dns queries and will block them. If you are really concerned, you can use something like opendns as your forwarder and it will give you far more control over your forwarder also. There is a post on dns best practices by  somewhere on the UTM forum and a lot of those principals apply to XG.

    I am not really sure other than ATP, how you would filter DNS queries. DNS caching/resolver server has one job, forward the queries or resolve them and then cache them. I am not familiar with the attack vector you are describing but it seems interesting. 

  • 0 in reply to Billybob
    Hi Billybob, I have situations where Cisco Umbrella is going crazy but XG with ATP is completely happy with the traffic. Obs it’s hard to distinguish ‘bad’ dns from normal but logging at least should occur.
  • 0 in reply to MrMuishond

    Yeah I have had that happen with opendns also where it is complaining about 1000s of queries to malicious sites whereas atp is saying nothing. ATP relies on the data provided by sophos so I will leave it at that. 
    You will not get any arguments from me regarding logging. Every daemon in XG is very quiet for some reason and the logs provided in the GUI are not sufficient enough to troubleshoot basic problems.