Re: encapsulated protocols?

[Adam Shostack <adam () homeport org>]

        A real http proxy, that parses the HTML returned, could block
unknown MIME types.  This would not be zippy, which probably prevents
most sites from using this.

        There are a number of partial solutions, addressing Java and
ActiveX, such as those from Security7 (www.security7.com), FinJan
(www.finjan.com) that work as proxies.  There are some that also have
host based components (I think Finjan has announced one of these.)

        These are not complete solutions.  The problem forces one to
ask what benefit you get from a proxy based firewall if its forced to
pass everything as html.  I think you are reduced to stronger
protections for your mail server, and possibly one or two other
servers.  This protection is starting to be added to packet filters
like Checkpoint's.  The other benefit is that you break and rebuild
the TCP connection, which may protect your internal machine from
things like OOB, teardrop and land, by impacting your firewall
instead.  This may or may not happen with transparent proxies.  YMMV.

        There are a number of companies working on tools and
applications to help you secure your internal servers, because
firewalls are losing value.  Companies include Secure Networks, who
makes a great auditing tool, ISS, who has a suite of tools, and
Netect, who will be launching an integrated application in the near
future.  (I work for Netect, so I'll leave commentary on our product
aside.)

        There is then an issue of how well can you secure a Win95
machine--I don't think the OS has any useful primitives for this,
such as filesystem permissions or memory protection.  So, theres a
huge need for short term kludges and hacks to protect your desktops
from the web.  I don't think smartcards, encryption, biometrics, or
any other silver bullet will offer any real help in this field, but
rather hacks like Janus (www.cs.berkeley.edu/~daw/janus/).

        To recap: I think packet filters are the wave of the mass
market future, because proxies do not offer enough speed for the
(hard to understand) security wins that they offer.  I think there
will be a variety of tools and applications to help you secure the
machines behind your packet filters.  Those tools and applications
will be a lot more useful where there are security features to build
on.  Securing Win31-98 will remain a huge pain in our craw for a long
time.

Adam


Mark Horn [ Net Ops ] wrote:
| Hello,

| Lately, I've noticed an increasing number of network protocols that are
| encapsulating themselves over existing protocols.  And then using some of
| our proxies to navigate anywhere on the Internet.

| Most recently I discovered VXTreme, a video streaming protocol.  The
| client is a browser plugin.  It is able to communicate through the
| firewall by contacting the configured HTTP proxy, and opening up a URL
| which points to a remote VXTreme server.
[...]
| The end result is that any protocol can traverse the firewall.  You simply
| need to get the "plugin" to the inside, and then you're home free.  Does
| anyone have any clever ideas as to how to prevent this encapsulation
| trick?
| 
| -- 
| Mark Horn <mhorn () funb com>
| 
| PGP Public Key available at: http://www.es.net/hypertext/pgp.html
| PGP KeyID/fingerprt: 00CBA571/32 4E 4E 48 EA C6 74 2E 25 8A 76 E6 04 A1 7F C1
| 


-- 
"It is seldom that liberty of any kind is lost all at once."
                                                       -Hume