Firewall Wizards mailing list archives
Default routes: Good or bad? (WAS: Checkpoint for internet access )
From: Ben Nagy <bnagy () sa volante com au>
Date: Mon, 23 Oct 2000 09:45:31 +0930
-----Original Message----- From: Andrew J Bernoth/Boulder/IBM [mailto:bernoth () us ibm com] Sent: Saturday, 21 October 2000 7:11 AM To: Zarcone, Christopher Cc: firewall-wizards () nfr net Subject: Re: [fw-wiz] Checkpoint for internet access
[snip]
With a proxy or socks server a secure network can have a default route to a bit bucket, which means if someone's application doesn't know how to use the proxy or socks services then it's not going anywhere. [...] However, I thinnk it still comes back to any application can now direct itself to the nearest internet firewall has a good chance of getting out. A quick glance on google.com shows me just under 6000 articles on "port 80 hacks", sure some of these will probably be proxy/socks aware and can figure out what the best place to send my packet to from my browser config file, but then some might not be that smart.
I'm really unconvinced that you're protecting yourself from anything here. If someone is clueful enough to even conceptualise tunneling over HTTP they will be able to check the "use proxy" box in the tool.
Surely if I don't have a default route to the network I am at least protecting myself from the "not so smart" hack?
The only real problem I have with your approach is that you require the clients or the apps to be socks / proxy aware. If the client is SOCKS aware then it will attempt to use it for any connection - so this buys you nothing over having a default route and we may as well not discuss it. Therefore your only security margin is where you can restrict your users to apps that are proxy-aware (and proxy-able). That's probably not many commercial or academic networks. Remember that you can use transparent proxy firewalls to provide you with almost the same effect - but using a default gateway. That releases you from the need to use apps that are explicity proxy aware and you can still turn apps on and off at the proxy level. I would argue that the security of such a network is as great as the no-gw model and that there is much more flexibility. All in all, I would personally resign myself to the fact that firewalls aren't meant to keep people _in_ and that most attempts to use them to do so are doomed to failure. A default route on each desktop doesn't seem so bad to me. You can always (and should - especially for M$ networks) apply egress filters to block stuff you know shouldn't be leaving. I agree that it lacks the elegance of a null or nonexistant route, but it's effective in some instances.
Regards, Andrew J Bernoth bernoth () us ibm com "The views expressed above are my own and do not necessarily reflect those of IBM"
Cheers, -- Ben Nagy Network Consultant, Volante Solutions PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520 _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Default routes: Good or bad? (WAS: Checkpoint for internet access ) Ben Nagy (Oct 24)