Firewall Wizards mailing list archives
Instance Messengers and Firewalls
From: suren <suren () intotoinc com>
Date: 26 Aug 2004 10:40:32 -0700
Hi, MSN, AOL and ICQ Messengers came long way and they traverse through NAT/NAPT devices smoothly. IMs make use of 'Address Binding' (Section 3.1, rfc 3022) features of NAT devices to support Peer to Peer functionality, such as Audio/Video etc.. But, they are not as friendly for Firewalls. Since the destination IP and Port of peer are unknown at the time of configuration of firewall policies, Administartor may be forced to allow all connections to all ports. This is not good for security perspective. If the firewalls have Application intelligence of these protocols, they could only open temporary holes to allow data conenctions of these IMs. These protocols are proprietary and ever changing and it is also observed some times, they go for encrypting the data. So, firewalls can't be trusted to have support for new IMs immediately. These IMs have configuration for SOCKS5, which is meant for authenticated firewall traversal. But, it seems that these IMs did not implement UDP related commands of SOCKS5. SOCK5 proxies can't be used for this purpose. Is my understading right? Is there any other way to allow IMs without allowing all outbound connections? Thanks, Suren www.intoto.com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Instance Messengers and Firewalls suren (Aug 27)
- Re: Instance Messengers and Firewalls Kevin Sheldrake (Aug 28)