Firewall Wizards mailing list archives
Re: tunnel vs open a hole
From: Crispin Cowan <crispin () wirex com>
Date: Mon, 07 Apr 2003 12:09:16 -0700
Barney Wolff wrote:
My main message is that firewalls are useful for keeping bad stuff out, but hopeless for keeping secret stuff in, for precisely the above reasons. I have taught this in class <http://www.cse.ogi.edu/%7Ecrispin/527/>, and it surprises a fair number of people. Many assume that you can configure a firewall to block outgoing traffic, and that stops the traffic. Nope: most firewalls pass HTTP on port 80, and nearly all pass DNS. In either case, you can encode your traffic to pass out of the network over those protocols. Therefore:On Sun, Apr 06, 2003 at 09:26:07PM -0700, Crispin Cowan wrote:The scary "gotcha": what if the "cooperating agent" on the inside is a worm or a virus?(BW wrote) With all due respect, this is something of an overstatement. Tunneling requires a cooperating agent on the inside. The security policy of that agent becomes part of your firewall.But saying that firewall technology is imperfect is different than saying it's not worth using. Would any expert go that far? The message is instead that defense in depth and strategies for detecting and handling breaches are required.
* You can use firewalls as a first line of defense. * You can use firewalls as your /only/ line of defense if your needs are very simple and threat level is low. * Otherwise you are going to need secondary defenses. I recommend using secure operating systems on your critical servers, but then again I sell such operating systems, so caveat emptor :-) Crispin -- Crispin Cowan, Ph.D. http://wirex.com/~crispin/ Chief Scientist, WireX http://wirex.com HP/Trend Micro Immunix Secured Solutions http://h18000.www1.hp.com/products/servers/solutions/iis/ Just say ".Nyet" _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Application requires VPN - How are these handled?, (continued)
- Re: Application requires VPN - How are these handled? Paul Robertson (Apr 01)
- Re: Application requires VPN - How are these handled? Mikael Olsson (Apr 01)
- Re: Application requires VPN - How are these handled? Paul Robertson (Apr 01)
- Re: Application requires VPN - How are these handled? Mike Scher (Apr 02)
- tunnel vs open a hole Anton A. Chuvakin (Apr 06)
- Re: tunnel vs open a hole Marcus J. Ranum (Apr 06)
- Re: tunnel vs open a hole Barney Wolff (Apr 06)
- Re: tunnel vs open a hole Marcus J. Ranum (Apr 06)
- Re: tunnel vs open a hole Crispin Cowan (Apr 07)
- Re: tunnel vs open a hole Barney Wolff (Apr 07)
- Re: tunnel vs open a hole Crispin Cowan (Apr 07)
- Re: Application requires VPN - How are these handled? Paul Robertson (Apr 01)
- Re: tunnel vs open a hole Dave Piscitello (Apr 08)
- Re: tunnel vs open a hole Frederick M Avolio (Apr 08)
- Re: tunnel vs open a hole Adam Shostack (Apr 08)
- Re: tunnel vs open a hole Dave Piscitello (Apr 08)
- Re: tunnel vs open a hole Frederick M Avolio (Apr 09)
- Re: tunnel vs open a hole Frank Knobbe (Apr 08)
- Re: tunnel vs open a hole Adam Shostack (Apr 06)
- Re: tunnel vs open a hole Mikael Olsson (Apr 06)
- Re: tunnel vs open a hole Bernie, CTA (Apr 06)
- Re: tunnel vs open a hole Christine Kronberg (Apr 07)