Firewall Wizards mailing list archives
Re: Tunnelling
From: pgut001 () cs auckland ac nz (Peter Gutmann)
Date: Sat, 6 Nov 1999 04:48:00 (NZDT)
[cc'd back into firewall-wizards from ukcrypto in case it's of interest] Donald Ramsbottom <donald () ramsbottom co uk> writes:
Remember the tunnelling software I mentioned a few weeks back, well there is not a lot on it but firewall Guru PJ has a little more on it see below. He has mentioned if any one is having difficulty they can email him. His email is paul_jennings () vnet ibm com. I know its off topic but it is a security risk which has the potential to bypass conventional security, and is therefore legitimate. It appears from the last post that BT may be one of the culprits! Some of the posts have been repeated.
It's not just BT, quite a number of companies are quietly using this trick to get data past firewalls because it's the only practical way to do it. The reasoning which leads to its use is something like: - Our product relies on being able to move (audio/video/EDI/database transactions/authorisation data/whatever) in and out of customer sites. - Most of them are running firewalls which block anything other than mail, HTTP, and possibily very limited FTP. - Doing it the way you're supposed to will require getting every user to reconfigure their firewalls and whatnot. Most of them don't even know what the firewall is apart from "that box with the blinky lights which someone set up for us last year". -> We'll use HTTP to tunnel it through and it won't be a problem. Even as yet undiscovered tribes in the jungles of Borneo can handle HTTP. (Six months later when they've developed workarounds for all the broken and incorrectly implemented Micros^H^H^H^H^Hproxies/firewalls floating around out there which don't quite get HTTP right, things do actually work out this way. The main problem is things cacheing data when they shouldn't). Adding filtering to stop HTTP tunnelling is a good idea security-wise, but it's going to break a lot of stuff which is using it because other filtering is already preventing the use of traditional ways of getting data through. Improving HTTP filtering will just lead to an arms race in which the people who need to get data in and out will improve their tunnelling to bypass HTTP filters. Peter.
Current thread:
- Re: Tunnelling Peter Gutmann (Nov 05)
- <Possible follow-ups>
- Re: Tunnelling Bill_Royds (Nov 06)