[TriLUG] Is it a security risk...

sholton at mindspring.com sholton at mindspring.com
Fri Sep 3 13:37:50 EDT 2004 

Forwarding this port (as opposed to closing it) adds the following
vulnerabilities:

1. The Windows box will receive requests on that port. The box inherits
any vulnerability introduced by Cyg/X, or  inherited by Cyg/X 
from the applications it supports.
Take steps to ensure Cyg/X  is secure and patched. Ensure any
application you use through Cyg/X is also secure and patched.

2. If the Windows box is not running Cyg/X (or Cyg/X is for some
reason not in control) then the box will be as exposed as the 
underlying Windows install is. I can't comment on this further, 
but it would depend on the specific version of Windows and 
any patches installed.
Take steps to ensure Cyg/X is always running on this box, and 
always the destination for communication on this port.

3. If  Windows were passing on connections on that port to some
other application than Cyg/X (such as a trojan, or a legitimate 
application) then the box inherits vulnerabilities through this vector.
Take steps to ensure the Windows box is current and patched. 
Remember that the vector could be either a Windows vulnerability 
involving this port, trojans exploiting the port, or applications  exploiting
it.  Use good AV software.

4. If the box itself is not on-line, then another (presumably compromised)
box on your network could claim the IP address (and thus the channel)
from the Windows box and exploit the channel that way.
Take steps to ensure the box is always up, or to ensure the port is only 
open when the box is up.

5. Not a likely scenario, but an attacker could send packets to the
box knowing they would be ignored, and plan to 'sniff' them out of the
channel from elsewhere, creating a covert channel. 
Take steps to monitor the usage of this port on your firewall, if
possible. 

-----Original Message-----
From: Brian Henning <brian at strutmasters.com>
Sent: Sep 3, 2004 12:54 PM
To: TriLUG <trilug at trilug.org>
Subject: [TriLUG] Is it a security risk...

...to leave the X11 port, 6000, open at our firewall, which then gets
forwarded to a Windows machine (equipped with Cyg/X of course)?
Nevermind about the security aspects of the act of forwarding an X-session
in the clear on a public network..  I'm just wondering if the port itself
poses much threat, i.e. do common Windows attacks come on that port?
Thanks...  and references to websites for me to in essence RTFM are always
appreciated.

Cheers,
~Brian

----------------
Brian A. Henning
Strutmasters.com
866.597.2397
----------------


-- 
TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
TriLUG Organizational FAQ  : http://trilug.org/faq/
TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
TriLUG PGP Keyring         : http://trilug.org/~chrish/trilug.asc


-- 
Steve Holton
sholton at mindspring.com

More information about the TriLUG mailing list