Firewall Wizards mailing list archives
socks (was Re: FEP - Firewall enhancement protocol)
From: Bennett Todd <bet () rahul net>
Date: Wed, 28 Jul 2004 22:51:12 +0000
2004-07-26T20:25:56 ArkanoiD:
(Yes, i don't like socks. It provides no protocol knowledge and may lead into punching gaping holes in the firewall when used without proper restrictions. You may even bind external ports with it!)
I have to admit I like socks. Glad it's in my toolchest. Protocol-specific proxies are certainly what I reach for first, and Just Say No is a favourite approach. But socks can be significantly nicer than the alternatives I know of when there's a business need to allow a protocol, which cannot be effectively man-in-the-middled, and which doesn't have a builtin wrapper allowing user authentication and entitlements. SSL and ssh are examples that leap to mind. While socks provides no more protocol-specific protection than simply port forwarding or plug-gw-style proxies, it can enable authentication and fine-grained entitlements. Pick and choose who is allowed to connect to what over which ports, require them to authenticate as users (rather than having to trust the client IP), and log who connected where, and when. I'm looking forward to the day when we can instead deploy springboard servers for such services, and users authorized to use the services run them via script that actually runs the security-worrisome app in a sandbox in the DMZ. We're getting there, not quite got all the bits yet. -Bennett
Attachment:
_bin
Description:
Current thread:
- FEP - Firewall enhancement protocol Darren Reed (Jul 23)
- Re: FEP - Firewall enhancement protocol Mark . Boltz (Jul 23)
- Re: FEP - Firewall enhancement protocol ArkanoiD (Jul 28)
- socks (was Re: FEP - Firewall enhancement protocol) Bennett Todd (Jul 28)
- Message not available
- Re: socks (was Re: FEP - Firewall enhancement protocol) Bennett Todd (Jul 29)
- Re: socks (was Re: FEP - Firewall enhancement protocol) ArkanoiD (Jul 29)
- Re: FEP - Firewall enhancement protocol ArkanoiD (Jul 28)
- Re: FEP - Firewall enhancement protocol Mark . Boltz (Jul 23)