Firewall Wizards mailing list archives

Re: IP over DNS.

From: Mikael Olsson <mikael.olsson () enternet se>
Date: Wed, 13 Sep 2000 13:33:31 +0200


Darren Reed wrote:


[On DNS tunneling]
The biggest problem is that without doing bad things to
DNS*, you can't stop this from being setup without putting
in place a full proxy based firewall.


... and proxy firewalls can't stop tunneling over HTTP or 
SMTP anyway, so we're back to square one:
"if someone wants to tunnel something from the inside, 
and wants it bad enough, there's no way in hell you
can stop them with anything less than an A1 firewall".

Does this spell the end of packet filtering for high
security firewalls ?


Nah, I'd pick a properly built SPF over a huge proxy with 
filtering software from the makers of Barbie & Ken any day ;)
<flame shield on>

/Mike

-- 
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 ÖRNSKÖLDSVIK
Phone: +46 (0)660 29 92 00         Direct: +46 (0)660 29 92 05
Mobile: +46 (0)70 66 77 636        Fax: +46 (0)660 122 50
WWW: http://www.enternet.se/       E-mail: mikael.olsson () enternet se

_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards

Current thread:

IP over DNS. Darren Reed (Sep 12)
- Re: IP over DNS. Ryan Russell (Sep 13)
- Re: IP over DNS. Mikael Olsson (Sep 13)
- Re: IP over DNS. Matt Cramer (Sep 13)
  - Re: IP over DNS. Darren Reed (Sep 16)
- <Possible follow-ups>
- Re: IP over DNS. Alex Goldney (Sep 13)
  - Re: IP over DNS. Darren Reed (Sep 13)
- RE: IP over DNS. Frank Knobbe (Sep 16)
- RE: IP over DNS. Bill_Royds (Sep 18)
  - Re: IP over DNS. Darren Reed (Sep 19)