Firewall Wizards mailing list archives
Re: Bypassing firewall
From: "Marcus J. Ranum" <mjr () nfr net>
Date: Thu, 03 Feb 2000 08:23:03 -0500
The only context I can think of this making any sense is when you have an inside agent program that makes an SSL connection to an external host for the express purpose of providing access to systems on the inside (sort of like dial-back).
You mean like if someone made a back orifice plug in or something like that?
The `solutions' are not pretty: disable any protocol using encryption because the firewall cannot validate the message's integrity or force everything to be decrypted and re-encrypted as required to allow the message to be checked that it matches the right protocol.
No, it's worse. The 'solution' is to disable any protocol that issues connections which are not immediately tied to an authentication that isn't performed by a computer. mjr.
Current thread:
- Re: Bypassing firewall Eric Hedberg (Feb 01)
- <Possible follow-ups>
- RE: Bypassing firewall Eckhardt, H.J.R. - DTOMLD (Feb 01)
- RE: Bypassing firewall Marcus J. Ranum (Feb 01)
- Re: Bypassing firewall Darren Reed (Feb 02)
- Re: Bypassing firewall Marcus J. Ranum (Feb 03)
- Re: Bypassing firewall Darren Reed (Feb 03)
- Re: Bypassing firewall Marcus J. Ranum (Feb 03)
- Re: Bypassing firewall Darren Reed (Feb 02)
- Re: Bypassing firewall Kaptain (Feb 04)
- Re: Bypassing firewall Martin P. Peikert (Feb 04)