Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: tunnel vs open a hole

From: Mikael Olsson <mikael.olsson () clavister com>
Date: Tue, 08 Apr 2003 00:58:56 +0200


"Anton A. Chuvakin" wrote:


[I agree ... BUT]

surely people started to httptunnel not just because if was 
a fun thing to do? 


No, it was made so that users/intruders could bypass the
security policy of a given network.



surely you'd know of places where it is done exactly like that. 


If I found someone doing that on my network, that someone would 
find himself without Internet access. Internet access is not
a requirement for the majority of jobs out there.



Additionally, what if opening a port turns into "lets open yet 
another port in our swiss-cheese firewall and pray this application 
can't be exploited"?  Will tunneling be justified in this case? 
Will it not reduce security a bit less than opening a port?


How? A port is a 16-bit integral number. Attacks are not mounted
over 16-bit integral numbers. You attack _code_. The same code
gets exposed regardless of whether it's being tunneled over
port 80 or not.  Not to mention that you are now also exposing
the HTTP tunneling code, which you wouldn't be exposing if you
weren't doing HTTP tunneling.



-- 
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50       WWW: http://www.clavister.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: