Firewall Wizards mailing list archives
Re: httptunnel
From: "Steven M. Bellovin" <smb () research att com>
Date: Tue, 23 Mar 1999 21:56:46 -0500
In message <Pine.GSO.4.05.9903231102580.7131-100000@elvis>, Ken Hardy writes:
See http://www.nocrew.org/software/httptunnel.html for a great little piece of software. Works through your existing HTTP proxy to render your firewall meaningless. (I've been waiting for something like BackOrifice to use HTTP instead of UDP for its remote control session.) We currently do not use proxy authentication for HTTP requests which originate internally. May change that. I presume that that could help thwart a covert trojan program trying to get out w/ HTTP. Thoughts? I also presume that coders of httptunnel could easily build in proxy authentication for users who intend to install it on their desktop for some purpose, so it cannot be a panacea.
Firewalls are based on two fundamental assumptions: that anyone on the outside may be bad, and that all actors on the inside are good. If the latter assumption is false, your firewall is useless. Once upon a time, the inside "actors" referred to people. In an era of mobile code -- mobile in the sense of both Java/ActiveX and in reference to outside code that is installed -- the word refers to the such programs as well. Here we have a piece of "malware" -- code designed to subvert administrative policy. Although perhaps in theory it could be installed by, say, a Makefile in some popular package, or by a Trojan horse in something you run, most likely it would be deliberately installed by someone who doesn't like the firewall. But the difference isn't that important -- what matters is that either is a bad actor on the inside. The precise tunnel chosen isn't that interesting, either -- years ago, as I recall, Marcus implemented IP over DNS and IP over email ("the round trip time is pretty long, but you have a really large MTU"). *Any* bidirectional channel can be used as a tunnel -- and if your users are hell-bent on getting around your firewall, they're going to. *Maybe* you can use traffic analysis to find such things, but then you're in a serious arms race. You can't use technical means to enforce a stricter security policy than your organizational culture will support, though human means, such as a chat with management, may work. (Aside: a few years ago, I gave a talk at an Agency. Over lunch, I made that same observation to my hosts, and observed that at least they worked in a place where the organizational culture understood the need for security. I got these pained looks, before someone said, "well, parts of the organization understand it".)
Current thread:
- httptunnel Ken Hardy (Mar 23)
- <Possible follow-ups>
- Re: httptunnel Steven M. Bellovin (Mar 24)
- Re: httptunnel youngk (Mar 24)
- Re: httptunnel Wyllys Ingersoll (Mar 25)
- Re: httptunnel John Lines (Mar 26)
- Re: httptunnel Wyllys Ingersoll (Mar 25)