Firewall Wizards mailing list archives

Re: Bypassing firewall

From: "Marcus J. Ranum" <mjr () nfr net>
Date: Thu, 03 Feb 2000 08:23:03 -0500

The only context I can think of this making any sense is when you
have an inside agent program that makes an SSL connection to an
external host for the express purpose of providing access to systems
on the inside (sort of like dial-back).


You mean like if someone made a back orifice plug in or
something like that?

The `solutions' are not pretty: disable any protocol using encryption
because the firewall cannot validate the message's integrity or force
everything to be decrypted and re-encrypted as required to allow the
message to be checked that it matches the right protocol.



No, it's worse. The 'solution' is to disable any protocol
that issues connections which are not immediately tied to
an authentication that isn't performed by a computer.

mjr.

Current thread:

Re: Bypassing firewall Eric Hedberg (Feb 01)
- <Possible follow-ups>
- RE: Bypassing firewall Eckhardt, H.J.R. - DTOMLD (Feb 01)
- RE: Bypassing firewall Marcus J. Ranum (Feb 01)
  - Re: Bypassing firewall Darren Reed (Feb 02)
    - Re: Bypassing firewall Marcus J. Ranum (Feb 03)
    - Re: Bypassing firewall Darren Reed (Feb 03)
    - Re: Bypassing firewall Marcus J. Ranum (Feb 03)
- Re: Bypassing firewall Lo Teng Thiau (Feb 03)
  - Re: Bypassing firewall Kaptain (Feb 04)
  - Re: Bypassing firewall Martin P. Peikert (Feb 04)