Re: Bypassing firewall

["Steven M. Bellovin" <smb () research att com>]

I think this discussion is really another manifestion of Ranum's Law:  You 
can't solve social problems with software.  Yes, you can make it harder, but 
*any* bidirectional channel can be used for tunneling.  You have two choices:  
"persuade" employees that the firewall policies are reasonable (and take 
appropriate action if folks don't go along), or modify your firewall policy to 
conform to reality.  That brings up my own "law":  you can't use technical 
mechanisms to enforce a stronger security policy than the organizational 
culture will support.  (I once made that observation when giving a talk at, 
umm, some government organization somewhere.  I remarked over lunch that at 
least they had a culture that understood the need for security.  My hosts gave 
me this pained look, before someone said "well, parts of the organization".  I 
later told that story to someone else who worked there.  Her response was 
"that's right; I have to get my job done, and I can't let the !@#$%^ firewall 
get in the way.")

Your mileage may vary -- but probably not by very much.  I'm endlessly amused 
by people who try to design new protocols to live on top of HTTP, simply 
because that's something that can often get through firewalls.  My own opinion 
is that if you *need* to get something through a firewall, open up the port -- 
and instead design protocols that are easy to inspect and/or proxy.



                --Steve Bellovin