Re: Do you permit X11 via proxy firewall?

[ArkanoiD <ark () eltex net>]

On Wed, Sep 05, 2007 at 04:48:46PM -0700, dlang () diginsite com wrote:
> On Thu, 6 Sep 2007, ArkanoiD wrote:
>
> > That's most practical, almost everyone is doing that.
> > So we can declare x11 gateways officially dead, i guess.
> >
> > On Wed, Sep 05, 2007 at 05:02:50PM -0400, Paul Melson wrote:
> > > > And, if yes, how do you implement it?
> > >
> > > No, that's what 'ssh -X' is for.
>
> why is tunneling X through firewalls noticably safer then just doing packet 
> filtering to allow it through?

Because it ensures proper endpoint authentication, encryption and ensures
(well, to some extent) that no malicious connections will be made through
the tunnel. At least does it better as packet filtering rules are static.

The same rationale applies for x11 gateways: most of them present a kind
of confirmation dialog for every new client connection.

> if the only answer is becouse it prevents someone from intercepting and 
> tinkering with the TCP datastream then it's only relavent in some situations and 
> you are saying that in others it's perfectly safe to just do packet filtering.
>
> remember, just becouse everyone is doing it, it may not be safe.

It is not, as nothing is safe, but sometimes it is acceptable risk ;-)

> remember almost everyone thinks that firewalls are just packet filters and have 
> no business actually looking at the packets that they let through.

Not us ;-)

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards