Firewall Wizards mailing list archives
Re: tunnel vs open a hole
From: Christine Kronberg <Christine_Kronberg () genua de>
Date: Mon, 7 Apr 2003 11:50:21 +0200 (CEST)
Hi,
Sorry for this somewhat generic query, but I'd really want to know the general consensus on the issue from the esteemed list members. I have seen that such debates often spark on the list, and I think summary (which might arise as a result of my query) would be useful for everybody, so... ...if to run a new application you'd have to either: 1. open a new port 2. accept tunneling over already open port/protocol which would you choose?
A new port. To get a separation between the existing and the new traffic. If there is anything funny going on on the one port the other is not affected (concerning closing or reconfiguring). There is one situation where I definitely choose the existing port: if it means I have to open many, many ports on the firewall. In this case I prefer them all coming through the same port outside to a specific host in a DMZ. From there then required ports are opened to the more secure zone. (Ok, re-reading that it is, too, a "choose a new port" :-) ).
To clarify, imagine you have to have something that need to talk thru a firewall from a less secure compartment to a more secure one. And the options are: open TCP port XXXXX (to the required host only, of course), or tunnel over currently open (or proxied) port 80?
As port 80 usually means http: Never do that. If you want to tunnel use some more secure protocol which gives you some kind of confidentiality (ssh, ssl) on your way from the less secure compartment to the more secure one. Cheers, Chris. -- GeNUA mbH _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: tunnel vs open a hole, (continued)
- Re: tunnel vs open a hole Crispin Cowan (Apr 07)
- Re: tunnel vs open a hole Dave Piscitello (Apr 08)
- Re: tunnel vs open a hole Frederick M Avolio (Apr 08)
- Re: tunnel vs open a hole Adam Shostack (Apr 08)
- Re: tunnel vs open a hole Dave Piscitello (Apr 08)
- Re: tunnel vs open a hole Frederick M Avolio (Apr 09)
- Re: tunnel vs open a hole Frank Knobbe (Apr 08)
- Re: tunnel vs open a hole Adam Shostack (Apr 06)
- Re: tunnel vs open a hole Mikael Olsson (Apr 06)
- Re: tunnel vs open a hole Bernie, CTA (Apr 06)
- Re: tunnel vs open a hole Christine Kronberg (Apr 07)
- Re: tunnel vs open a hole Anton A. Chuvakin (Apr 07)
- Re: tunnel vs open a hole R. DuFresne (Apr 07)
- Re: tunnel vs open a hole Dave Rinker (Apr 07)
- Re: tunnel vs open a hole Mikael Olsson (Apr 08)
- Re: tunnel vs open a hole Bill Royds (Apr 08)