Re: socks (was Re: FEP - Firewall enhancement protocol)

[Bennett Todd <bet () rahul net>]

2004-07-29T00:07:22 ArkanoiD:
> Unless kerberized (i've yet to see a firewall that integrates with
> kerberos properly - or should i do it myself) socks authentication 
> is ridiculously weak (reusable password) :-(.

A lot of shops use reuseable passwords extensively on their internal
networks.

> No implementation is even ssl-enabled..

I've not looked into it in detail, but one shop I worked at had
what they called a "vpn" for remote access (I disputed the name:-)
that was simply socks over SSL.

> Speaking of SSL, there is standard CONNECT method (which is no better,
> just the proxy is more simple than socks)

I can't agree with that, sock is extraordinarily simple, I've yet to
see an HTTP proxy that was as simple. If nothing else HTTP is more
complex to parse.

But I wasn't really thinking about https when I mentioned sock as
handy for adding slightly more control to SSL than port forwarding,
more thinking about other arbitrary apps that encapsulate over ssl,
not an uncommon strategy for various b2b one-offs.

And, speaking of the standard CONNECT method used by http
browsers and proxies to bore https through firewalls, at least
one socks client implementation (Dante's) can route over it.
Of late my favourite socks client is the gloriously simple
connect by Shun-ichi GOTO <gotoh () taiyo co jp>, available from
<URL:http://www.imasy.or.jp/~gotoh/ssh/connect.c>. I first learned
about it by searching for how to socksify openssh. Oh, and it can
route over http proxies via CONNECT as well:-).

-Bennett

Attachment: _bin
Description: