Firewall Wizards mailing list archives

Re: Citrix ICA through port 80?

From: Crispin Cowan <crispin () wirex com>
Date: Sat, 12 Feb 2000 22:23:28 +0000

Ivan Fox wrote:

If users can bypass a firewall, what's the point of having a firewall?


Firewalls are to keep the bad packets out.  Firewalls are completely
ineffective at keeping the users in.  They were not designed to contain
users, and are completely incapable of containing a determined user.

For a counter-example to the idea of using firewalls to contain inside
users, consider MJR's demo-ware that implemented TCP/IP over top of DNS
requests.  If you can get any data at all out, then you can put TCP/IP on
top of it, and from there you can do anything.

Thus for security purposes, firewalls are strictly access control devices
to control what outsiders can do to your inside.  Your firewall may be
performing some kind of control on what your inside users can pass out,
but it is strictly a convenience factor.  A determined user can always
push out if they want to.

Crispin
-----
Crispin Cowan, CTO, WireX Communications, Inc.    http://wirex.com
Free Hardened Linux Distribution:                 http://immunix.org
                  JOBS!  http://immunix.org/jobs.html

Current thread:

Citrix ICA through port 80? SF BA (Feb 11)
- Re: Citrix ICA through port 80? Ivan Fox (Feb 12)
  - Re: Citrix ICA through port 80? Crispin Cowan (Feb 14)
    - Re: Citrix ICA through port 80? Lance Spitzner (Feb 15)
- Re: Citrix ICA through port 80? Mikael Olsson (Feb 12)
- <Possible follow-ups>
- RE: Citrix ICA through port 80? Troy Henley (Feb 12)
- Re: Citrix ICA through port 80? fgb (Feb 12)
- RE: Citrix ICA through port 80? Henry Sieff (Feb 14)
- RE: Citrix ICA through port 80? Bill Stout (Feb 15)
- RE: Citrix ICA through port 80? Sigler, Karl (Feb 15)
- Re: Citrix ICA through port 80? TC Wolsey (Feb 16)