Re: Tunnelling

[pgut001 () cs auckland ac nz (Peter Gutmann)]

[cc'd back into firewall-wizards from ukcrypto in case it's of interest]

Donald Ramsbottom <donald () ramsbottom co uk> writes:

> Remember the tunnelling software I mentioned a few weeks back, well there is
> not a lot on it but firewall Guru PJ has a little more on it see below. He 
> has mentioned if any one is having difficulty they can email him. His email
> is paul_jennings () vnet ibm com.
>
> I know its off topic but it is a security risk which has the potential to
> bypass conventional security, and is therefore legitimate.
>
> It appears from the last post that BT may be one of the culprits! Some of the
> posts have been repeated.

It's not just BT, quite a number of companies are quietly using this trick to
get data past firewalls because it's the only practical way to do it.  The
reasoning which leads to its use is something like:

- Our product relies on being able to move (audio/video/EDI/database 
  transactions/authorisation data/whatever) in and out of customer sites.
- Most of them are running firewalls which block anything other than mail,
  HTTP, and possibily very limited FTP.
- Doing it the way you're supposed to will require getting every user to 
  reconfigure their firewalls and whatnot.  Most of them don't even know what 
  the firewall is apart from "that box with the blinky lights which someone 
  set up for us last year".

-> We'll use HTTP to tunnel it through and it won't be a problem.  Even as yet
   undiscovered tribes in the jungles of Borneo can handle HTTP.

(Six months later when they've developed workarounds for all the broken and
 incorrectly implemented Micros^H^H^H^H^Hproxies/firewalls floating around out
 there which don't quite get HTTP right, things do actually work out this way.
 The main problem is things cacheing data when they shouldn't).

Adding filtering to stop HTTP tunnelling is a good idea security-wise, but
it's going to break a lot of stuff which is using it because other
filtering is already preventing the use of traditional ways of getting data 
through.  Improving HTTP filtering will just lead to an arms race in which
the people who need to get data in and out will improve their tunnelling to
bypass HTTP filters.

Peter.