Firewall Wizards mailing list archives
Re: tunnel vs open a hole
From: Crispin Cowan <crispin () wirex com>
Date: Sun, 06 Apr 2003 21:26:07 -0700
Barney Wolff wrote:
The scary "gotcha": what if the "cooperating agent" on the inside is a worm or a virus?On Sun, Apr 06, 2003 at 02:59:37PM -0400, Marcus J. Ranum wrote:Protocol-over-protocol "attacks" mooted firewalls a loooooooong time ago. We've just been cheerfully ignoring that fact. I was tunnelling IP packets uuencoded over smtp back in the early 1990's (I guess it would have been 1993 or -4) and got good enough RTTs that I could even NFS-mount filesystems across a firewall once I had tuned the NFS timeouts and retries correctly.With all due respect, this is something of an overstatement. Tunneling requires a cooperating agent on the inside. The security policy of that agent becomes part of your firewall.
Crispin -- Crispin Cowan, Ph.D. http://wirex.com/~crispin/ Chief Scientist, WireX http://wirex.com HP/Trend Micro Immunix Secured Solutions http://h18000.www1.hp.com/products/servers/solutions/iis/ Just say ".Nyet" _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Application requires VPN - How are these handled? Michele Jordan (Apr 01)
- Re: Application requires VPN - How are these handled? Mikael Olsson (Apr 01)
- Re: Application requires VPN - How are these handled? Paul Robertson (Apr 01)
- Re: Application requires VPN - How are these handled? Mikael Olsson (Apr 01)
- Re: Application requires VPN - How are these handled? Paul Robertson (Apr 01)
- Re: Application requires VPN - How are these handled? Mike Scher (Apr 02)
- tunnel vs open a hole Anton A. Chuvakin (Apr 06)
- Re: tunnel vs open a hole Marcus J. Ranum (Apr 06)
- Re: tunnel vs open a hole Barney Wolff (Apr 06)
- Re: tunnel vs open a hole Marcus J. Ranum (Apr 06)
- Re: tunnel vs open a hole Crispin Cowan (Apr 07)
- Re: tunnel vs open a hole Barney Wolff (Apr 07)
- Re: tunnel vs open a hole Crispin Cowan (Apr 07)
- Re: Application requires VPN - How are these handled? Paul Robertson (Apr 01)
- Re: Application requires VPN - How are these handled? Mikael Olsson (Apr 01)
- Re: tunnel vs open a hole Dave Piscitello (Apr 08)
- Re: tunnel vs open a hole Frederick M Avolio (Apr 08)
- Re: tunnel vs open a hole Adam Shostack (Apr 08)
- Re: tunnel vs open a hole Dave Piscitello (Apr 08)
- Re: tunnel vs open a hole Frederick M Avolio (Apr 09)
- Re: tunnel vs open a hole Frank Knobbe (Apr 08)
- Re: tunnel vs open a hole Adam Shostack (Apr 06)
- Re: tunnel vs open a hole Mikael Olsson (Apr 06)