RE: Re: Code Red: What security specialist don't mentio ninwarnings(Frank Knobbe)

[Joseph Steinberg <Joseph () whale-com com>]

Paul --

I just want to be sure we are talking about the same case, before answering.

Are you talking about tunneling in from a home machine or the like -- or
tunneling out from a corporate network?

-- Joseph

-----Original Message-----
From: Paul Cardon [mailto:paul () moquijo com]
Sent: Thursday, August 09, 2001 10:53 AM
To: Joseph Steinberg
Cc: firewall-wizards () nfr com
Subject: Re: [fw-wiz] Re: Code Red: What security specialist don't
mentioninwarnings(Frank Knobbe)


Joseph Steinberg wrote:
> In terms of all tunneling - since the e-Gap System inspects the
> application-level payload of all inbound requests to ensure that they are
> valid -- the application payload of the tunneling attempt, which will not
> look like valid web activity (URL, parameters, etc.), will be rejected.
>
> If someone did want to try tunneling through an e-Gap with httptunnel,
> unless the e-Gap were configured to allow tunneling to the tunnel server
> (hts), it would fail. The only machines and ports to which the e-Gap
System
> will relay information are those that are specified in its configuration
> files. I.e., if the e-Gap is configured to relay port 80 on its external
> server (e.g., 1.2.3.4) to port 65 on an internal machine (5.6.7.8), even
if
> someone tunneled information, it would not reach his/her intended
> destination, as the only machine that is reachable is the one in the
> configuration. If someone tried to communicate to a different port or
> machine it would not reach the destination -- as the source and
destination
> he/she provided would be ignored. Because no TCP/IP passes through the
e-Gap
> and the packets need to be re-generated on the internal side, this is
> assured.

You misunderstood my point but actually verified what I said.  If the
e-Gap permits http to a particular host and that host is running the
httptunnel server on the permitted port then e-Gap will gladly pass the
tunnel traffic.  That is what I meant.  It does not prevent tunneling to
allowed hosts and ports if the tunnel traffic looks like valid http.  

A basic packet filter can be just as effective as e-gap at preventing
tunneling if it is configured as you describe above to only allow
connections to hosts and ports that are verified to be "real" http
servers.

-paul
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards