Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: tunnel vs open a hole

From: Mikael Olsson <mikael.olsson () clavister com>
Date: Sun, 06 Apr 2003 22:51:47 +0200

"Anton A. Chuvakin" wrote:


...if to run a new application you'd have to either:
1. open a new port
2. accept tunneling over already open port/protocol
which would you choose?


If indeed the choice is as simple as you describe, it's a
no-brainer for me.  The short-short version:

- Opening a new port exposes nothing that you wouldn't be exposing
  anyway (through tunneling).

- Opening a new port lets me monitor the new traffic independently.

- Opening a new port lets me SHUT DOWN the new traffic immediately
  without disrupting the other service, should I ever need to do so.

- HTTP tunneling is evil. See RFC 3205, also Best Current 
  Practice #65, "On the use of HTTP as a Substrate": 
  http://www.ietf.org/rfc/rfc3205.txt


-- 
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50       WWW: http://www.clavister.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: