Re: httptunnel

["Steven M. Bellovin" <smb () research att com>]

In message <Pine.GSO.4.05.9903231102580.7131-100000@elvis>, Ken Hardy writes:
> See http://www.nocrew.org/software/httptunnel.html for a great
> little piece of software.  Works through your existing HTTP
> proxy to render your firewall meaningless.  (I've been waiting
> for something like BackOrifice to use HTTP instead of UDP for
> its remote control session.)
>
> We currently do not use proxy authentication for HTTP requests
> which originate internally.  May change that.  I presume that
> that could help thwart a covert trojan program trying to get
> out w/ HTTP.  Thoughts?  I also presume that coders of httptunnel
> could easily build in proxy authentication for users who intend
> to install it on their desktop for some purpose, so it cannot
> be a panacea.

Firewalls are based on two fundamental assumptions:  that anyone on the
outside may be bad, and that all actors on the inside are good.  If the latter
assumption is false, your firewall is useless.

Once upon a time, the inside "actors" referred to people.  In an era
of mobile code -- mobile in the sense of both Java/ActiveX and in reference
to outside code that is installed -- the word refers to the such programs
as well.

Here we have a piece of "malware" -- code designed to subvert administrative
policy.  Although perhaps in theory it could be installed by, say, a Makefile
in some popular package, or by a Trojan horse in something you run, most
likely it would be deliberately installed by someone who doesn't like
the firewall.  But the difference isn't that important -- what matters is
that either is a bad actor on the inside.  The precise tunnel chosen isn't
that interesting, either -- years ago, as I recall, Marcus implemented IP
over DNS and IP over email ("the round trip time is pretty long, but
you have a really large MTU").  *Any* bidirectional channel can be used as
a tunnel -- and if your users are hell-bent on getting around your firewall,
they're going to.  *Maybe* you can use traffic analysis to find such things,
but then you're in a serious arms race.  You can't use technical means
to enforce a stricter security policy than your organizational culture
will support, though human means, such as a chat with management, may work.
(Aside:  a few years ago, I gave a talk at an Agency.  Over lunch, I made
that same observation to my hosts, and observed that at least they worked
in a place where the organizational culture understood the need for security.
I got these pained looks, before someone said, "well, parts of the organization
understand it".)