Re: tunnel vs open a hole

["Marcus J. Ranum" <mjr () ranum com>]

Anton A. Chuvakin wrote:
> To clarify, imagine you have to have something that need to talk thru a
> firewall from a less secure compartment to a more secure one. And the
> options are: open TCP port XXXXX (to the required host only, of course),
> or tunnel over currently open (or proxied) port 80?

Both options have the same security properties - tunnelling is pretty
much exactly the same as opening a port, except that whatever does
the tunnelling may log the event. (Which your firewall can do in the case
of opening a port)

The real question is whether the tunnelling system provides _ANY_
security controls above and beyond ip/src/dest/logging. If not, then
they're 100% the same. If you can do some kind of content filtering
or control, then it might be worth it.

Protocol-over-protocol "attacks" mooted firewalls a loooooooong time
ago. We've just been cheerfully ignoring that fact. I was tunnelling
IP packets uuencoded over smtp back in the early 1990's (I guess
it would have been 1993 or -4) and got good enough RTTs that I
could even NFS-mount filesystems across a firewall once I had
tuned the NFS timeouts and retries correctly.

mjr. 
---
Marcus J. Ranum                         http://www.ranum.com
Computer and Communications Security    mjr () ranum com

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards