Firewall Wizards mailing list archives
Re: tunnel vs open a hole
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Sun, 06 Apr 2003 14:59:37 -0400
Anton A. Chuvakin wrote:
To clarify, imagine you have to have something that need to talk thru a firewall from a less secure compartment to a more secure one. And the options are: open TCP port XXXXX (to the required host only, of course), or tunnel over currently open (or proxied) port 80?
Both options have the same security properties - tunnelling is pretty much exactly the same as opening a port, except that whatever does the tunnelling may log the event. (Which your firewall can do in the case of opening a port) The real question is whether the tunnelling system provides _ANY_ security controls above and beyond ip/src/dest/logging. If not, then they're 100% the same. If you can do some kind of content filtering or control, then it might be worth it. Protocol-over-protocol "attacks" mooted firewalls a loooooooong time ago. We've just been cheerfully ignoring that fact. I was tunnelling IP packets uuencoded over smtp back in the early 1990's (I guess it would have been 1993 or -4) and got good enough RTTs that I could even NFS-mount filesystems across a firewall once I had tuned the NFS timeouts and retries correctly. mjr. --- Marcus J. Ranum http://www.ranum.com Computer and Communications Security mjr () ranum com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Application requires VPN - How are these handled? Michele Jordan (Apr 01)
- Re: Application requires VPN - How are these handled? Mikael Olsson (Apr 01)
- Re: Application requires VPN - How are these handled? Paul Robertson (Apr 01)
- Re: Application requires VPN - How are these handled? Mikael Olsson (Apr 01)
- Re: Application requires VPN - How are these handled? Paul Robertson (Apr 01)
- Re: Application requires VPN - How are these handled? Mike Scher (Apr 02)
- tunnel vs open a hole Anton A. Chuvakin (Apr 06)
- Re: tunnel vs open a hole Marcus J. Ranum (Apr 06)
- Re: tunnel vs open a hole Barney Wolff (Apr 06)
- Re: tunnel vs open a hole Marcus J. Ranum (Apr 06)
- Re: tunnel vs open a hole Crispin Cowan (Apr 07)
- Re: tunnel vs open a hole Barney Wolff (Apr 07)
- Re: tunnel vs open a hole Crispin Cowan (Apr 07)
- Re: Application requires VPN - How are these handled? Paul Robertson (Apr 01)
- Re: Application requires VPN - How are these handled? Mikael Olsson (Apr 01)
- Re: tunnel vs open a hole Dave Piscitello (Apr 08)
- Re: tunnel vs open a hole Frederick M Avolio (Apr 08)
- Re: tunnel vs open a hole Adam Shostack (Apr 08)
- Re: tunnel vs open a hole Dave Piscitello (Apr 08)
- Re: tunnel vs open a hole Frederick M Avolio (Apr 09)