Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Instance Messengers and Firewalls

From: ArkanoiD <ark () eltex net>
Date: Fri, 3 Sep 2004 19:07:09 +0400
nuqneH,

I think the best idea is to disable p2p functionality and to enforce
protocol checks if possible.

On Sat, Aug 28, 2004 at 11:17:48AM +0100, Kevin Sheldrake wrote:

I believe most IM software can be forced to tunnel connections over HTTP.   
This has the distinct advantage that port management in the firewall is  
unnecesary (save for a stateful outbound tcp/80).  AMSN, for instance,  
will connect, chat and receive files over this method.  The downside is  
that HTTP (or more specifically, port 80) is being abused by the IM  
software.  Search the RFC index for TCP/IP over HTTP for more info on why  
this is bad practice.

If you have to allow IM software, putting them over HTTP is probably the  
best of a bunch of bad things that you could do.

Kev



Hi,
   MSN, AOL and ICQ Messengers came long way and they traverse
   through NAT/NAPT devices smoothly. IMs make use of 'Address Binding'
   (Section 3.1, rfc 3022) features of NAT devices to support Peer to
   Peer functionality, such as Audio/Video etc..

   But, they are not as friendly for Firewalls. Since the destination
   IP and Port of peer are unknown at the time of configuration of
   firewall policies, Administartor may be forced to allow all
   connections to all ports. This is not good for security perspective.
   If the firewalls have Application intelligence of these protocols,
   they could only open temporary holes to allow data conenctions of
   these IMs. These protocols are proprietary and ever changing and it
   is also observed some times, they go for encrypting the data.
   So, firewalls can't be trusted to have support for new IMs
   immediately.

    These IMs have configuration for SOCKS5, which is meant for
    authenticated firewall traversal. But, it seems that these IMs
    did not implement UDP related commands of SOCKS5. SOCK5 proxies
    can't be used for this purpose.  Is my understading right?

    Is there any other way to allow IMs without allowing all
    outbound connections?


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: