Re: [fw-wiz] tunnel vs open a hole

From: Marcus J. Ranum (mjr@ranum.com)
Date: 04/06/03

  • Next message: Adam Shostack: "Re: [fw-wiz] tunnel vs open a hole" 
    To: "Anton A. Chuvakin" <anton@chuvakin.org>, firewall-wizards@honor.icsalabs.com
From: "Marcus J. Ranum" <mjr@ranum.com>
Date: Sun, 06 Apr 2003 14:59:37 -0400

    Anton A. Chuvakin wrote:
    >To clarify, imagine you have to have something that need to talk thru a
    >firewall from a less secure compartment to a more secure one. And the
    >options are: open TCP port XXXXX (to the required host only, of course),
    >or tunnel over currently open (or proxied) port 80?

    Both options have the same security properties - tunnelling is pretty
    much exactly the same as opening a port, except that whatever does
    the tunnelling may log the event. (Which your firewall can do in the case
    of opening a port)

    The real question is whether the tunnelling system provides _ANY_
    security controls above and beyond ip/src/dest/logging. If not, then
    they're 100% the same. If you can do some kind of content filtering
    or control, then it might be worth it.

    Protocol-over-protocol "attacks" mooted firewalls a loooooooong time
    ago. We've just been cheerfully ignoring that fact. I was tunnelling
    IP packets uuencoded over smtp back in the early 1990's (I guess
    it would have been 1993 or -4) and got good enough RTTs that I
    could even NFS-mount filesystems across a firewall once I had
    tuned the NFS timeouts and retries correctly.

    mjr. 

    ---
Marcus J. Ranum				http://www.ranum.com
Computer and Communications Security	mjr@ranum.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
  • Next message: Adam Shostack: "Re: [fw-wiz] tunnel vs open a hole"

    Relevant Pages

    • Re: Usinf Tunneling program to get xbox halo to play online
      ... I have a linksys router and windows xp. ... If you're using the Windows/Internet Connection Firewall that's built into ... the needed ports for the tunnelling software. ...
      (microsoft.public.windowsxp.games)
    • Re: [fw-wiz] tunnel vs open a hole
      ... I was tunnelling ... that agent becomes part of your firewall. ... implements your security policy" rather than "the box with that label". ... The implication of this reasoning is clear: If you don't control the ...
      (Firewall-Wizards)
    • Re: [fw-wiz] tunnel vs open a hole
      ... open a new port ... > firewall from a less secure compartment to a more secure one. ...
      (Firewall-Wizards)
    • Re: SSH from Windows to Linux w/port forwarding.
      ... I have the same setup: Cygwin client tunnelling to a Debian server. ... (misconfigured firewall?). ...
      (comp.security.ssh)
    • Re: keeping ports open
      ... If a port is open, it means that 1) a software or service is running on your ... and 2) you're not using a firewall or your firewall isn't ... Use firewall software and hardware and antivirus software that is ... Follow the instructions for hardening Windows and IIS at ...
      (microsoft.public.security)