Firewall Wizards mailing list archives

encapsulated protocols?

From: "Mark Horn [ Net Ops ]" <mhorn () funb com>
Date: Tue, 3 Feb 1998 11:43:26 -0500

Hello,

Lately, I've noticed an increasing number of network protocols that are
encapsulating themselves over existing protocols.  And then using some of
our proxies to navigate anywhere on the Internet.

Most recently I discovered VXTreme, a video streaming protocol.  The
client is a browser plugin.  It is able to communicate through the
firewall by contacting the configured HTTP proxy, and opening up a URL
which points to a remote VXTreme server.

This kinda scares me.  One of the premises of running a firewall is that
you explicitly deny any protocol that is unknown.  Well, if new protocols
are encapsulating themselves into known protocols, how can you keep a
handle on what protocols are running through the firewall?

The end result is that any protocol can traverse the firewall.  You simply
need to get the "plugin" to the inside, and then you're home free.  Does
anyone have any clever ideas as to how to prevent this encapsulation
trick?

-- 
Mark Horn <mhorn () funb com>

PGP Public Key available at: http://www.es.net/hypertext/pgp.html
PGP KeyID/fingerprt: 00CBA571/32 4E 4E 48 EA C6 74 2E 25 8A 76 E6 04 A1 7F C1

Current thread:

encapsulated protocols? Mark Horn [ Net Ops ] (Feb 03)
- Re: encapsulated protocols? Adam Shostack (Feb 04)
  - Re: encapsulated protocols? Aleph One (Feb 06)
    - Re: encapsulated protocols? Adam Shostack (Feb 06)
    - Re: encapsulated protocols? Mark Horn [ Net Ops ] (Feb 06)
    - Re: encapsulated protocols? Adam Shostack (Feb 07)
    - IPsec and firewalls Aleph One (Feb 07)
    - Re: IPsec and firewalls carson (Feb 09)
    - Re: IPsec and firewalls Aleph One (Feb 09)
    - Re: IPsec and firewalls carson (Feb 09)
    - Re: IPsec and firewalls Adam Shostack (Feb 09)

(Thread continues...)