On the subject of the XG firewall ‘leaking’, it’s worth mentioning DNS. XG doesn’t seem too bothered about DNS, can someone confirm if I’m correct with this scenario?
If you have DNS turned on for a zone, you’re essentially allowing unmonitored 2 way data flow to any site, regardless of other rules. It goes like this:
Devices in ‘LockedDownZone’ have no internet access (or highly restricted), but DNS services are turned on in XG (maybe for ntp server resolution or something, it doesn’t matter).
Something in that zone wants to talk to ‘evil.com’ for command and control.
The app or JavaScript uses base64 to encode the evil message, and issues several DNS queries:
Message-part1-etcetcetc.evil.com
Message-part2-etcetcetc.evil.com
Message-part3-etcetcetc.evil.com
4x base64 chars can encode 3 bytes, so it’s quite efficient. A few dns queries could encode 1kb of data.
XG happily passes these requests along to your upstream DNS, and eventually to evil.com where they can be decoded and a response sent by their authoritative server. TXT dns records can be quite large.
My understanding is that Web Protection looks at http(s) and not the actual dns queries? In any case, the hidden rule problem and the lack of DNS logging (is there any? I haven’t spotted it) mean this stuff seems invisible to XG. Block traffic at night? The DNS service will still be running and resolving!
If you turn off internal XG DNS you can then control traffic to an external DNS service with firewall rules, but it wasn’t immediately obvious that this should even be necessary.
In my view XG’s lack of DNS protection or monitoring is a big problem.
Log DNS queries and responses. Throttle them. Check for suspicious traffic.
PS. Sorry about the lack of line breaks!
This thread was automatically locked due to age.
