Firewall Wizards mailing list archives

Re: tunnel vs open a hole

From: Barney Wolff <barney () pit databus com>
Date: Mon, 7 Apr 2003 13:18:24 -0400

On Sun, Apr 06, 2003 at 09:26:07PM -0700, Crispin Cowan wrote:

(BW wrote)
With all due respect, this is something of an overstatement.  Tunneling
requires a cooperating agent on the inside.  The security policy of
that agent becomes part of your firewall.

The scary "gotcha": what if the "cooperating agent" on the inside is a 
worm or a virus?


Once the enemy is within your perimeter, the game is mostly over no matter
what, because as mjr has pointed out connecting from inside to outside
is rarely impossible or even difficult, and that connection can then be
used to tunnel commands from outside in.

But saying that firewall technology is imperfect is different than saying
it's not worth using.  Would any expert go that far?  The message is
instead that defense in depth and strategies for detecting and handling
breaches are required.

-- 
Barney Wolff         http://www.databus.com/bwresume.pdf
I'm available by contract or FT, in the NYC metro area or via the 'Net.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Application requires VPN - How are these handled?, (continued)
- Re: Application requires VPN - How are these handled? Mikael Olsson (Apr 01)
  - Re: Application requires VPN - How are these handled? Paul Robertson (Apr 01)
    - Re: Application requires VPN - How are these handled? Mikael Olsson (Apr 01)
    - Re: Application requires VPN - How are these handled? Paul Robertson (Apr 01)
    - Re: Application requires VPN - How are these handled? Mike Scher (Apr 02)
    - tunnel vs open a hole Anton A. Chuvakin (Apr 06)
    - Re: tunnel vs open a hole Marcus J. Ranum (Apr 06)
    - Re: tunnel vs open a hole Barney Wolff (Apr 06)
    - Re: tunnel vs open a hole Marcus J. Ranum (Apr 06)
    - Re: tunnel vs open a hole Crispin Cowan (Apr 07)
    - Re: tunnel vs open a hole Barney Wolff (Apr 07)
    - Re: tunnel vs open a hole Crispin Cowan (Apr 07)
    - Re: tunnel vs open a hole Dave Piscitello (Apr 08)
    - Re: tunnel vs open a hole Frederick M Avolio (Apr 08)
    - Re: tunnel vs open a hole Adam Shostack (Apr 08)
    - Re: tunnel vs open a hole Dave Piscitello (Apr 08)
    - Re: tunnel vs open a hole Frederick M Avolio (Apr 09)
    - Re: tunnel vs open a hole Frank Knobbe (Apr 08)
    - Re: tunnel vs open a hole Adam Shostack (Apr 06)
    - Re: tunnel vs open a hole Mikael Olsson (Apr 06)
    - Re: tunnel vs open a hole Bernie, CTA (Apr 06)

(Thread continues...)