Firewall Wizards mailing list archives

Re: tunnel vs open a hole

From: Crispin Cowan <crispin () wirex com>
Date: Sun, 06 Apr 2003 21:26:07 -0700

Barney Wolff wrote:

On Sun, Apr 06, 2003 at 02:59:37PM -0400, Marcus J. Ranum wrote:

Protocol-over-protocol "attacks" mooted firewalls a loooooooong time
ago. We've just been cheerfully ignoring that fact. I was tunnelling
IP packets uuencoded over smtp back in the early 1990's (I guess
it would have been 1993 or -4) and got good enough RTTs that I
could even NFS-mount filesystems across a firewall once I had
tuned the NFS timeouts and retries correctly.

With all due respect, this is something of an overstatement.  Tunneling
requires a cooperating agent on the inside.  The security policy of
that agent becomes part of your firewall.

The scary "gotcha": what if the "cooperating agent" on the inside is aworm or a virus?


Crispin

--
Crispin Cowan, Ph.D.                      http://wirex.com/~crispin/
Chief Scientist, WireX                    http://wirex.com
HP/Trend Micro Immunix Secured Solutions
http://h18000.www1.hp.com/products/servers/solutions/iis/
                            Just say ".Nyet"


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Application requires VPN - How are these handled? Michele Jordan (Apr 01)
- Re: Application requires VPN - How are these handled? Mikael Olsson (Apr 01)
  - Re: Application requires VPN - How are these handled? Paul Robertson (Apr 01)
    - Re: Application requires VPN - How are these handled? Mikael Olsson (Apr 01)
    - Re: Application requires VPN - How are these handled? Paul Robertson (Apr 01)
    - Re: Application requires VPN - How are these handled? Mike Scher (Apr 02)
    - tunnel vs open a hole Anton A. Chuvakin (Apr 06)
    - Re: tunnel vs open a hole Marcus J. Ranum (Apr 06)
    - Re: tunnel vs open a hole Barney Wolff (Apr 06)
    - Re: tunnel vs open a hole Marcus J. Ranum (Apr 06)
    - Re: tunnel vs open a hole Crispin Cowan (Apr 07)
    - Re: tunnel vs open a hole Barney Wolff (Apr 07)
    - Re: tunnel vs open a hole Crispin Cowan (Apr 07)
    - Re: tunnel vs open a hole Dave Piscitello (Apr 08)
    - Re: tunnel vs open a hole Frederick M Avolio (Apr 08)
    - Re: tunnel vs open a hole Adam Shostack (Apr 08)
    - Re: tunnel vs open a hole Dave Piscitello (Apr 08)
    - Re: tunnel vs open a hole Frederick M Avolio (Apr 09)
    - Re: tunnel vs open a hole Frank Knobbe (Apr 08)
    - Re: tunnel vs open a hole Adam Shostack (Apr 06)
    - Re: tunnel vs open a hole Mikael Olsson (Apr 06)

(Thread continues...)