socks (was Re: FEP - Firewall enhancement protocol)

[Bennett Todd <bet () rahul net>]

2004-07-26T20:25:56 ArkanoiD:
> (Yes, i don't like socks. It provides no protocol knowledge and
> may lead into punching gaping holes in the firewall when used
> without proper restrictions. You may even bind external ports with
> it!)

I have to admit I like socks. Glad it's in my toolchest.

Protocol-specific proxies are certainly what I reach for first, and
Just Say No is a favourite approach.

But socks can be significantly nicer than the alternatives I
know of when there's a business need to allow a protocol, which
cannot be effectively man-in-the-middled, and which doesn't have a
builtin wrapper allowing user authentication and entitlements. SSL
and ssh are examples that leap to mind. While socks provides no
more protocol-specific protection than simply port forwarding or
plug-gw-style proxies, it can enable authentication and fine-grained
entitlements. Pick and choose who is allowed to connect to what over
which ports, require them to authenticate as users (rather than
having to trust the client IP), and log who connected where, and
when.

I'm looking forward to the day when we can instead deploy
springboard servers for such services, and users authorized to use
the services run them via script that actually runs the
security-worrisome app in a sandbox in the DMZ. We're getting there,
not quite got all the bits yet.

-Bennett

Attachment: _bin
Description: