Firewall Wizards mailing list archives
Re: encapsulated protocols?
From: Adam Shostack <adam () homeport org>
Date: Wed, 4 Feb 1998 02:27:56 -0500 (EST)
A real http proxy, that parses the HTML returned, could block unknown MIME types. This would not be zippy, which probably prevents most sites from using this. There are a number of partial solutions, addressing Java and ActiveX, such as those from Security7 (www.security7.com), FinJan (www.finjan.com) that work as proxies. There are some that also have host based components (I think Finjan has announced one of these.) These are not complete solutions. The problem forces one to ask what benefit you get from a proxy based firewall if its forced to pass everything as html. I think you are reduced to stronger protections for your mail server, and possibly one or two other servers. This protection is starting to be added to packet filters like Checkpoint's. The other benefit is that you break and rebuild the TCP connection, which may protect your internal machine from things like OOB, teardrop and land, by impacting your firewall instead. This may or may not happen with transparent proxies. YMMV. There are a number of companies working on tools and applications to help you secure your internal servers, because firewalls are losing value. Companies include Secure Networks, who makes a great auditing tool, ISS, who has a suite of tools, and Netect, who will be launching an integrated application in the near future. (I work for Netect, so I'll leave commentary on our product aside.) There is then an issue of how well can you secure a Win95 machine--I don't think the OS has any useful primitives for this, such as filesystem permissions or memory protection. So, theres a huge need for short term kludges and hacks to protect your desktops from the web. I don't think smartcards, encryption, biometrics, or any other silver bullet will offer any real help in this field, but rather hacks like Janus (www.cs.berkeley.edu/~daw/janus/). To recap: I think packet filters are the wave of the mass market future, because proxies do not offer enough speed for the (hard to understand) security wins that they offer. I think there will be a variety of tools and applications to help you secure the machines behind your packet filters. Those tools and applications will be a lot more useful where there are security features to build on. Securing Win31-98 will remain a huge pain in our craw for a long time. Adam Mark Horn [ Net Ops ] wrote: | Hello, | Lately, I've noticed an increasing number of network protocols that are | encapsulating themselves over existing protocols. And then using some of | our proxies to navigate anywhere on the Internet. | Most recently I discovered VXTreme, a video streaming protocol. The | client is a browser plugin. It is able to communicate through the | firewall by contacting the configured HTTP proxy, and opening up a URL | which points to a remote VXTreme server. [...] | The end result is that any protocol can traverse the firewall. You simply | need to get the "plugin" to the inside, and then you're home free. Does | anyone have any clever ideas as to how to prevent this encapsulation | trick? | | -- | Mark Horn <mhorn () funb com> | | PGP Public Key available at: http://www.es.net/hypertext/pgp.html | PGP KeyID/fingerprt: 00CBA571/32 4E 4E 48 EA C6 74 2E 25 8A 76 E6 04 A1 7F C1 | -- "It is seldom that liberty of any kind is lost all at once." -Hume
Current thread:
- encapsulated protocols? Mark Horn [ Net Ops ] (Feb 03)
- Re: encapsulated protocols? Adam Shostack (Feb 04)
- Re: encapsulated protocols? Aleph One (Feb 06)
- Re: encapsulated protocols? Adam Shostack (Feb 06)
- Re: encapsulated protocols? Mark Horn [ Net Ops ] (Feb 06)
- Re: encapsulated protocols? Adam Shostack (Feb 07)
- IPsec and firewalls Aleph One (Feb 07)
- Re: IPsec and firewalls carson (Feb 09)
- Re: IPsec and firewalls Aleph One (Feb 09)
- Re: IPsec and firewalls carson (Feb 09)
- Re: IPsec and firewalls Adam Shostack (Feb 09)
- Re: IPsec and firewalls carson (Feb 09)
- Re: encapsulated protocols? Aleph One (Feb 06)
- Re: encapsulated protocols? Adam Shostack (Feb 04)