Firewall Wizards mailing list archives
Re: tunnel vs open a hole
From: "Bill Royds" <broyds () rogers com>
Date: Tue, 8 Apr 2003 19:24:01 -0400
It does depend on what protocols you are passing through the port or the tunnel. If the protocol is pure HTTP (for some definition of pure HTTP), then an HTTP security proxy can validate it and at least prevent some random garbage or normalize it before allowing it past the firewall). Best would be to put the HTTP conformance proxy to listen on a separate port. It would validate traffic but the traffic would be kept isolated from other HTTP traffic in the system. If the protocol is new whizbang multi-media binary with no RFC or complete syntax review, then tunneling it over HTTP would not work with a good application gateway, or would require funny MIME encoding that pretended to be an allowed binary but connected to a special user agent that understood the subterfuge. This would add tremendous overhead to the transmission while subverting security (malicious servers could try to crash your whizbang special client with standard HTTP ). Sending the data over its own dedicated port would at least allow some monitoring and the ability to isolate the stream on routers etc. If you can define the syntax of the protocol in a structured way, then you could write a proxy for the firewall, but it would have the same risks as the frontend for your application, but then on the firewall. So handling it by a separate port with restricted connectivity seems the most secure. If you can add additional authentication such as using ISAKMP and AH(which authenticates the packets but does not neccessarily encrypt them), then you could be reasonably sure that the traffic came from the desired sender and has not be tampered with on the way. IPSEC does not neccessarily need encryption of data so that a log can be made of the actual usage of the protocol, not just its existence. ----- Original Message ----- From: "Anton A. Chuvakin" <anton () chuvakin org> To: <firewall-wizards () honor icsalabs com> Sent: Friday, April 04, 2003 4:53 PM Subject: [fw-wiz] tunnel vs open a hole : All, : : Sorry for this somewhat generic query, but I'd really want to know the : general consensus on the issue from the esteemed list members. I have : seen that such debates often spark on the list, and I think summary (which : might arise as a result of my query) would be useful for everybody, so... : : ...if to run a new application you'd have to either: : : 1. open a new port : 2. accept tunneling over already open port/protocol : : which would you choose? : : To clarify, imagine you have to have something that need to talk thru a : firewall from a less secure compartment to a more secure one. And the : options are: open TCP port XXXXX (to the required host only, of course), : or tunnel over currently open (or proxied) port 80? : : Best, : -- : Anton A. Chuvakin, Ph.D., GCI* : http://www.chuvakin.org : http://www.info-secure.org : : _______________________________________________ : firewall-wizards mailing list : firewall-wizards () honor icsalabs com : http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: tunnel vs open a hole, (continued)
- Re: tunnel vs open a hole Frederick M Avolio (Apr 09)
- Re: tunnel vs open a hole Frank Knobbe (Apr 08)
- Re: tunnel vs open a hole Adam Shostack (Apr 06)
- Re: tunnel vs open a hole Mikael Olsson (Apr 06)
- Re: tunnel vs open a hole Bernie, CTA (Apr 06)
- Re: tunnel vs open a hole Christine Kronberg (Apr 07)
- Re: tunnel vs open a hole Anton A. Chuvakin (Apr 07)
- Re: tunnel vs open a hole R. DuFresne (Apr 07)
- Re: tunnel vs open a hole Dave Rinker (Apr 07)
- Re: tunnel vs open a hole Mikael Olsson (Apr 08)
- Re: tunnel vs open a hole Bill Royds (Apr 08)