Firewall Wizards mailing list archives
Re: Bypassing firewall
From: "Steven M. Bellovin" <smb () research att com>
Date: Mon, 31 Jan 2000 11:37:39 -0500
I think this discussion is really another manifestion of Ranum's Law: You can't solve social problems with software. Yes, you can make it harder, but *any* bidirectional channel can be used for tunneling. You have two choices: "persuade" employees that the firewall policies are reasonable (and take appropriate action if folks don't go along), or modify your firewall policy to conform to reality. That brings up my own "law": you can't use technical mechanisms to enforce a stronger security policy than the organizational culture will support. (I once made that observation when giving a talk at, umm, some government organization somewhere. I remarked over lunch that at least they had a culture that understood the need for security. My hosts gave me this pained look, before someone said "well, parts of the organization". I later told that story to someone else who worked there. Her response was "that's right; I have to get my job done, and I can't let the !@#$%^ firewall get in the way.") Your mileage may vary -- but probably not by very much. I'm endlessly amused by people who try to design new protocols to live on top of HTTP, simply because that's something that can often get through firewalls. My own opinion is that if you *need* to get something through a firewall, open up the port -- and instead design protocols that are easy to inspect and/or proxy. --Steve Bellovin
Current thread:
- Re: Bypassing firewall, (continued)
- Re: Bypassing firewall Cliff Rayman (Jan 27)
- Re: Bypassing firewall Aaron D. Turner (Jan 27)
- Re: Bypassing firewall Bennett Todd (Jan 28)
- RE: Bypassing firewall jussi . jaakonaho (Jan 25)
- Re: Bypassing firewall Robert Graham (Jan 25)
- Re: Bypassing firewall Saravana Ram (Jan 28)
- RE: Bypassing firewall Riley, Steven (Jan 26)
- RE: Bypassing firewall Kaptain (Jan 28)
- RE: Bypassing firewall Robert Purdy (Jan 31)
- RE: Bypassing firewall Kaptain (Jan 28)
- Re:Bypassing firewall TDyson (Jan 28)
- Re: Bypassing firewall Steven M. Bellovin (Jan 31)