Firewall Wizards mailing list archives
RE: tunnel vs open a hole
From: "Behm, Jeffrey L." <BehmJL () bvsg com>
Date: Mon, 7 Apr 2003 15:14:50 -0500
Agreed! This is one reason why a client I work for has implemented outbound http proxying *with* authentication required. While certainly not perfect, this helps keeps most things that require port 80 outbound to a minimum. The biggest problem we have seen is that app developers don't understand how to handle a response from the proxy server that says "Hey, you tried to open a new connection but did not provide any credentials, so please authenticate." Rather, they just blindly assume its gonna work and apparently don't perform any programming 101 error checking, and just let the app die a horrible (but deserving :-)) death. <pet peeve> When will programmers begin (again) to do basic error checking? </pet peeve> Marcus J. Ranum spewed:
We made a big mistake when we started building firewalls that allowed outgoing connections that were not individually authenticated and associated with a human user's request. mjr. ---
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: tunnel vs open a hole Behm, Jeffrey L. (Apr 07)
- <Possible follow-ups>
- RE: tunnel vs open a hole Melson, Paul (Apr 08)
- RE: tunnel vs open a hole Bruce Platt (Apr 08)
- RE: tunnel vs open a hole Dave Piscitello (Apr 08)
- RE: tunnel vs open a hole Marcus J. Ranum (Apr 09)
- Re: tunnel vs open a hole George Capehart (Apr 09)
- Re: tunnel vs open a hole Marcus J. Ranum (Apr 09)
- Re: tunnel vs open a hole George Capehart (Apr 09)
- Re: tunnel vs open a hole Marcus J. Ranum (Apr 09)
- Re: tunnel vs open a hole R. DuFresne (Apr 10)
- Re: tunnel vs open a hole Bill Royds (Apr 10)
- Re: tunnel vs open a hole George Capehart (Apr 09)