Re: [fw-wiz] tunnel vs open a hole
From: Marcus J. Ranum (email@example.com)
To: "Anton A. Chuvakin" <firstname.lastname@example.org>, email@example.com From: "Marcus J. Ranum" <firstname.lastname@example.org> Date: Sun, 06 Apr 2003 14:59:37 -0400
Anton A. Chuvakin wrote:
>To clarify, imagine you have to have something that need to talk thru a
>firewall from a less secure compartment to a more secure one. And the
>options are: open TCP port XXXXX (to the required host only, of course),
>or tunnel over currently open (or proxied) port 80?
Both options have the same security properties - tunnelling is pretty
much exactly the same as opening a port, except that whatever does
the tunnelling may log the event. (Which your firewall can do in the case
of opening a port)
The real question is whether the tunnelling system provides _ANY_
security controls above and beyond ip/src/dest/logging. If not, then
they're 100% the same. If you can do some kind of content filtering
or control, then it might be worth it.
Protocol-over-protocol "attacks" mooted firewalls a loooooooong time
ago. We've just been cheerfully ignoring that fact. I was tunnelling
IP packets uuencoded over smtp back in the early 1990's (I guess
it would have been 1993 or -4) and got good enough RTTs that I
could even NFS-mount filesystems across a firewall once I had
tuned the NFS timeouts and retries correctly.
--- Marcus J. Ranum http://www.ranum.com Computer and Communications Security email@example.com _______________________________________________ firewall-wizards mailing list firstname.lastname@example.org http://honor.icsalabs.com/mailman/listinfo/firewall-wizards