Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: tunnel vs open a hole

From: Adam Shostack <adam () homeport org>
Date: Sun, 6 Apr 2003 15:04:50 -0400
On Fri, Apr 04, 2003 at 03:53:36PM -0500, Anton A. Chuvakin wrote:
| All,
| 
| Sorry for this somewhat generic query, but I'd really want to know the
| general consensus on the issue from the esteemed list members. I have
| seen that such debates often spark on the list, and I think summary (which
| might arise as a result of my query) would be useful for everybody, so...
| 
| ...if to run a new application you'd have to either:
| 
| 1. open a new port
| 2. accept tunneling over already open port/protocol
| 
| which would you choose?
| 
| To clarify, imagine you have to have something that need to talk thru a
| firewall from a less secure compartment to a more secure one. And the
| options are: open TCP port XXXXX (to the required host only, of course),
| or tunnel over currently open (or proxied) port 80?

Opening a new port allows you to compartmentalize, should you discover
that the external component has vulnerabilities.

Adam


-- 
"It is seldom that liberty of any kind is lost all at once."
                                                       -Hume


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: