Firewall Wizards mailing list archives
RE: Re: Code Red: What security specialist don't mentio ninwarnings(Frank Knobbe)
From: Joseph Steinberg <Joseph () whale-com com>
Date: Thu, 9 Aug 2001 11:47:12 -0400
Paul -- I just want to be sure we are talking about the same case, before answering. Are you talking about tunneling in from a home machine or the like -- or tunneling out from a corporate network? -- Joseph -----Original Message----- From: Paul Cardon [mailto:paul () moquijo com] Sent: Thursday, August 09, 2001 10:53 AM To: Joseph Steinberg Cc: firewall-wizards () nfr com Subject: Re: [fw-wiz] Re: Code Red: What security specialist don't mentioninwarnings(Frank Knobbe) Joseph Steinberg wrote:
In terms of all tunneling - since the e-Gap System inspects the application-level payload of all inbound requests to ensure that they are valid -- the application payload of the tunneling attempt, which will not look like valid web activity (URL, parameters, etc.), will be rejected. If someone did want to try tunneling through an e-Gap with httptunnel, unless the e-Gap were configured to allow tunneling to the tunnel server (hts), it would fail. The only machines and ports to which the e-Gap
System
will relay information are those that are specified in its configuration files. I.e., if the e-Gap is configured to relay port 80 on its external server (e.g., 1.2.3.4) to port 65 on an internal machine (5.6.7.8), even
if
someone tunneled information, it would not reach his/her intended destination, as the only machine that is reachable is the one in the configuration. If someone tried to communicate to a different port or machine it would not reach the destination -- as the source and
destination
he/she provided would be ignored. Because no TCP/IP passes through the
e-Gap
and the packets need to be re-generated on the internal side, this is assured.
You misunderstood my point but actually verified what I said. If the e-Gap permits http to a particular host and that host is running the httptunnel server on the permitted port then e-Gap will gladly pass the tunnel traffic. That is what I meant. It does not prevent tunneling to allowed hosts and ports if the tunnel traffic looks like valid http. A basic packet filter can be just as effective as e-gap at preventing tunneling if it is configured as you describe above to only allow connections to hosts and ports that are verified to be "real" http servers. -paul _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Re: Code Red: What security specialist don't mentio ninwarnings(Frank Knobbe) Joseph Steinberg (Aug 10)