Re: firewalls and the incoming traffic problem

[Jyri Kaljundi <jk () stallion ee>]

On Sun, 28 Sep 1997, Paul D. Robertson wrote:

> or even seemingly "solicited" incoming traffic.  Tunnels are a fact of 
> life, and they'll just get worse as we move forward.  That's why I'd like 
> to see *official* MITM addressed in protocol specifications.  If we're 
> to _really_ take a stab at continuing to provide security and assurance 
> levels, we *need* to be able to examine data.

Right. I have seen pretty many firewalls with tunnels implemented where
you can run anything through them. And when you make that everything
something like SSH, you can run a lot of TCP application through it in
both directions and set up port forwarding in many ways. And when you for
example then run PPP over SSH through that channel you have a clean IP
tunnel where you can run any application you want.

Also what is happening in the real life of firewalls we have people who
innocently run SSH out of their firewalls. And then they innocently run
(sometimes for months before anyone notices, if notices) port forwarding
to connect into their internal network from home. Yes you need an SSH
server outside somewhere, that not everyone has, and sometimes you need
even a special client and server so you can run SSH over port 25 or 80 or
whatever. 

Policies and documents usually can not stop this from happening. We need
either MITM at the firewall examining all the traffic or better yet
monitoring tools that would listen on the internal network and recognize
the SSH or SSL or other packets that should not be there. I don't know how
good most of application layer firewalls are today, but I believe at least
some of them allow you to make special protocol for two ends where you
could run SSH over HTTP or some other proxy.

Jyri Kaljundi
jk () stallion ee
AS Stallion Ltd
http://www.stallion.ee/