RE: GXD vs. SPF

[Hines Dennis <Dennis.Hines () Columbia net>]

> Maybe it's just me, but I still fail to see the security stance of 
> someone who allows more than about four protocols.  Tunneling over SMTP, 
> HTTP, and DNS are pretty difficult to detect as is, but at least most of 
> it's trendable with statistics from common gateways.  How the heck do you 
> figure out a tunnel over half a gazillion protocols and still feel a 
> measure of protection?  Was I asleep in that part of the sales pitch?

Could someone fill me in a bit on the risks of tunneling over SMTP, HTTP,
etc.  What are the capabilities of this sort of attack?  How is it
accomplished (in general terms).

Thanks,

Dennis

dennis.hines () columbia net


> -----Original Message-----
> From: Paul D. Robertson [SMTP:proberts () clark net]
> Sent: Wednesday, September 30, 1998 8:57 AM
> To:   Ryan Russell
> Cc:   Stout, Bill; Frederick M Avolio; Firewall-wizards
> Subject:      RE: GXD vs. SPF
>
> On Tue, 29 Sep 1998, Ryan Russell wrote:
>
> > Firewall-1 designers appear to start with the most generic SPF handler
> > possible, and only add better handling when the protocol won't
> > work otherwise, or some exploit is published.  That's the wrong place
> > for a firewall to be.
>
> The worst thing I see about this model is that it doesn't reliably give 
> you an index to how much protection you're getting from the firewall.  
> Initially you didn't even get UDP state, then someone pointed out that it 
> couldn't be a stateful packet filter if it didn't keep UDP state and that 
> was fixed.  Now you don't get ICMP state.  Then if you start delving into 
> application protocols, you may or may not get additional state 
> information that has something to do with the protocol itself.  
>
> It should be pointed out that the proxy server folks have done things 
> like a "reference" proxy put out by someone that looked for about a four 
> character string in the datastream to decide if the traffic was ok.  Whee!
>
> Maybe it's just me, but I still fail to see the security stance of 
> someone who allows more than about four protocols.  Tunneling over SMTP, 
> HTTP, and DNS are pretty difficult to detect as is, but at least most of 
> it's trendable with statistics from common gateways.  How the heck do you 
> figure out a tunnel over half a gazillion protocols and still feel a 
> measure of protection?  Was I asleep in that part of the sales pitch?
>
> My users have been telling me for years how much not having 
> cute-video-chat-coke-or-pepsi-taste-testing protocol #6 will severely 
> impact their daily jobs.  Funnily enough we've had some of our most 
> profitable quarters in that time period without it.  
>
> Maybe I should go around and test to see if all my cat 5 and type 1 is 
> Y2k compliant, I keep feeling pretty far out of it.  I'm still trying to 
> figure out if we can just get them all WebTV, stick them in a tuner 
> "sandbox" and go home. 
>
> Paul
> --------------------------------------------------------------------------
> ---
> Paul D. Robertson      "My statements in this message are personal
> opinions
> proberts () clark net      which may have no basis whatsoever in fact."
>  
> PSB#9280