Re: tunnel vs open a hole

[Christine Kronberg <Christine_Kronberg () genua de>]

  Hi,

> Sorry for this somewhat generic query, but I'd really want to know the
> general consensus on the issue from the esteemed list members. I have
> seen that such debates often spark on the list, and I think summary (which
> might arise as a result of my query) would be useful for everybody, so...
>
> ...if to run a new application you'd have to either:
>
> 1. open a new port
> 2. accept tunneling over already open port/protocol
>
> which would you choose?

  A new port. To get a separation between the existing and the
  new traffic. If there is anything funny going on on the one
  port the other is not affected (concerning closing or
  reconfiguring).

  There is one situation where I definitely choose the
  existing port: if it means I have to open many, many
  ports on the firewall. In this case I prefer them all
  coming through the same port outside to a specific
  host in a DMZ. From there then required ports are opened
  to the more secure zone. (Ok, re-reading that it is, too,
  a "choose a new port" :-)  ).

> To clarify, imagine you have to have something that need to talk thru a
> firewall from a less secure compartment to a more secure one. And the
> options are: open TCP port XXXXX (to the required host only, of course),
> or tunnel over currently open (or proxied) port 80?

  As port 80 usually means http: Never do that. If you want to
  tunnel use some more secure protocol which gives you some kind
  of confidentiality (ssh, ssl) on your way from the less secure
  compartment to the more secure one.

  Cheers,


                                                     Chris.

-- 
GeNUA mbH


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards