Firewall Wizards mailing list archives
Re: tunnel vs open a hole
From: Dave Piscitello <dave () corecom com>
Date: Tue, 08 Apr 2003 13:16:58 -0400
Sorry for late input to this topic, but having read the thread I'd like to return to a point Marcus made "The real question is whether the tunnelling system provides _ANY_ security controls above and beyond ip/src/dest/logging." No one discussed the benefits of using an encrypted, authenticated tunnel (SSL, SSH, ...), which do provide additional controls. If I were developing/deploying a (presumably) distributed application *today*, I would begin with the assumption that I need stronger authentication than UIPW, message integrity, and message confidentiality. Many of the problems we struggle to correct today stem from the fact that we think of security as something orthogonal to application functionality rather than a core component/requirement. At 02:59 PM 4/6/2003 -0400, Marcus J Ranum wrote:
Anton A. Chuvakin wrote: >To clarify, imagine you have to have something that need to talk thru a >firewall from a less secure compartment to a more secure one. And the >options are: open TCP port XXXXX (to the required host only, of course), >or tunnel over currently open (or proxied) port 80? Both options have the same security properties - tunnelling is pretty much exactly the same as opening a port, except that whatever does the tunnelling may log the event. (Which your firewall can do in the case of opening a port) The real question is whether the tunnelling system provides _ANY_ security controls above and beyond ip/src/dest/logging. If not, then they're 100% the same. If you can do some kind of content filtering or control, then it might be worth it. Protocol-over-protocol "attacks" mooted firewalls a loooooooong time ago. We've just been cheerfully ignoring that fact. I was tunnelling IP packets uuencoded over smtp back in the early 1990's (I guess it would have been 1993 or -4) and got good enough RTTs that I could even NFS-mount filesystems across a firewall once I had tuned the NFS timeouts and retries correctly. mjr. --- Marcus J. Ranum http://www.ranum.com Computer and Communications Security mjr () ranum com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
David M. Piscitello Core Competence, Inc. & 3 Myrtle Bank Lane Hilton Head, SC 29926 dave () corecom com 843.689.5595 www.corecom.com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Application requires VPN - How are these handled?, (continued)
- Re: Application requires VPN - How are these handled? Mikael Olsson (Apr 01)
- Re: Application requires VPN - How are these handled? Paul Robertson (Apr 01)
- Re: Application requires VPN - How are these handled? Mike Scher (Apr 02)
- tunnel vs open a hole Anton A. Chuvakin (Apr 06)
- Re: tunnel vs open a hole Marcus J. Ranum (Apr 06)
- Re: tunnel vs open a hole Barney Wolff (Apr 06)
- Re: tunnel vs open a hole Marcus J. Ranum (Apr 06)
- Re: tunnel vs open a hole Crispin Cowan (Apr 07)
- Re: tunnel vs open a hole Barney Wolff (Apr 07)
- Re: tunnel vs open a hole Crispin Cowan (Apr 07)
- Re: tunnel vs open a hole Dave Piscitello (Apr 08)
- Re: tunnel vs open a hole Frederick M Avolio (Apr 08)
- Re: tunnel vs open a hole Adam Shostack (Apr 08)
- Re: tunnel vs open a hole Dave Piscitello (Apr 08)
- Re: tunnel vs open a hole Frederick M Avolio (Apr 09)
- Re: tunnel vs open a hole Frank Knobbe (Apr 08)
- Re: tunnel vs open a hole Adam Shostack (Apr 06)
- Re: tunnel vs open a hole Mikael Olsson (Apr 06)
- Re: tunnel vs open a hole Bernie, CTA (Apr 06)
- Re: tunnel vs open a hole Christine Kronberg (Apr 07)
- Re: tunnel vs open a hole Anton A. Chuvakin (Apr 07)