Firewall Wizards mailing list archives

RE: tunnel vs open a hole

From: "Melson, Paul" <PMelson () sequoianet com>
Date: Tue, 8 Apr 2003 15:23:27 -0400

I was hoping someone would mention this as well.  HTTP tunneling is something that can be restricted or prevented using 
even a fairly basic application proxy, like the ones found in many modern firewall products.  But tunneling SSL or SSH 
is what gives me nightmares, and I'd be interested to hear what other organizations do to address this.

It is my understanding that if you allow HTTP/SSL, then you must 1) allow the use of 'CONNECT' proxying, which allows a 
tool like `bouncer` to subvert your security policy or 2) use a MITM style SSL proxy which robs the client of verifying 
the server certificate, possibly making outbound SSL connections susceptible to additional MITM attacks.  Worse yet, if 
you -don't- allow HTTP/SSL (TCP/443) traffic through your firewall, then your users may be submitting passwords in 
clear text across the Internet (assuming you allow HTTP through your aforementioned application proxy).

SSH is just as bad, or possibly worse, since most clients and daemons support port redirection.

PaulM

 -----Original Message-----
From:         Dave Piscitello <dave () corecom com>@AICNOTES  
Sent: Tuesday, April 08, 2003 1:17 PM
To:   firewall-wizards () honor icsalabs com
Subject:      Re: [fw-wiz] tunnel vs open a hole

No one discussed the benefits of using an encrypted, authenticated
tunnel (SSL, SSH, ...), which do provide additional controls. If I were
developing/deploying a (presumably) distributed application *today*,
I would begin with the assumption that I need stronger authentication
than UIPW, message integrity, and message confidentiality. Many of
the problems we struggle to correct today stem from the fact that
we think of security as something orthogonal to application functionality
rather than a core component/requirement.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

RE: tunnel vs open a hole Behm, Jeffrey L. (Apr 07)
- <Possible follow-ups>
- RE: tunnel vs open a hole Melson, Paul (Apr 08)
- RE: tunnel vs open a hole Bruce Platt (Apr 08)
  - RE: tunnel vs open a hole Dave Piscitello (Apr 08)
- RE: tunnel vs open a hole Marcus J. Ranum (Apr 09)
  - Re: tunnel vs open a hole George Capehart (Apr 09)
    - Re: tunnel vs open a hole Marcus J. Ranum (Apr 09)
    - Re: tunnel vs open a hole George Capehart (Apr 09)
    - Re: tunnel vs open a hole Marcus J. Ranum (Apr 09)
    - Re: tunnel vs open a hole R. DuFresne (Apr 10)
    - Re: tunnel vs open a hole Bill Royds (Apr 10)
    - Re: tunnel vs open a hole Marcus J. Ranum (Apr 10)

(Thread continues...)