Re: [fw-wiz] tunnel vs open a hole

From: Adam Shostack (adam@homeport.org)
Date: 04/06/03

  • Next message: Mikael Olsson: "Re: [fw-wiz] tunnel vs open a hole"
    From: Adam Shostack <adam@homeport.org>
    To: "Anton A. Chuvakin" <anton@chuvakin.org>
    Date: Sun, 6 Apr 2003 15:04:50 -0400
    

    On Fri, Apr 04, 2003 at 03:53:36PM -0500, Anton A. Chuvakin wrote:
    | All,
    |
    | Sorry for this somewhat generic query, but I'd really want to know the
    | general consensus on the issue from the esteemed list members. I have
    | seen that such debates often spark on the list, and I think summary (which
    | might arise as a result of my query) would be useful for everybody, so...
    |
    | ...if to run a new application you'd have to either:
    |
    | 1. open a new port
    | 2. accept tunneling over already open port/protocol
    |
    | which would you choose?
    |
    | To clarify, imagine you have to have something that need to talk thru a
    | firewall from a less secure compartment to a more secure one. And the
    | options are: open TCP port XXXXX (to the required host only, of course),
    | or tunnel over currently open (or proxied) port 80?

    Opening a new port allows you to compartmentalize, should you discover
    that the external component has vulnerabilities.

    Adam

    -- 
    "It is seldom that liberty of any kind is lost all at once."
    					               -Hume
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    

  • Next message: Mikael Olsson: "Re: [fw-wiz] tunnel vs open a hole"

    Relevant Pages

    • [fw-wiz] tunnel vs open a hole
      ... Sorry for this somewhat generic query, but I'd really want to know the ... accept tunneling over already open port/protocol ... firewall from a less secure compartment to a more secure one. ... options are: open TCP port ...
      (Firewall-Wizards)
    • Re: Tunnelling?
      ... There are several ways to tunnel port 2000 depending on how strict ... "tunneling" to avoid detection of your ... activities or to bypass firewall rules is a serious offense. ... Try Webroot's Spy Sweeper Enterprisefor 30 days for FREE with no ...
      (Security-Basics)
    • Re: Any Go To Assist alternatives for Linux
      ... I look at my monitor and see what the other box has on it's monitor. ... What worries me is having to install 65 port forwards in my ... router's iptables firewall. ... OpenVPN and opening the tunneling behind the firewall? ...
      (comp.os.linux.misc)
    • Re: interfaces lo:1 lo:2 lo:3? (for remote ssh tunnels)
      ... I think you're tunneling thw wrong way, ... You will want the 2.0 beta, the current release wants a separate port ... >runs on office computers that listens for a connection from the ... >server, so it can handle the menuing on campus. ...
      (Debian-User)
    • Re: Two Services Listening
      ... > I access my linux box at home from work over 22, which is the only open port ... port connection is called tunneling. ... an IP subnet or even an Ethernet local net over a single port ... it needs the tunneling code at both ends ...
      (comp.os.linux.networking)