Re: [fw-wiz] tunnel vs open a hole

From: Bernie, CTA (
Date: 04/07/03

  • Next message: Barney Wolff: "Re: [fw-wiz] tunnel vs open a hole"
    From: "Bernie, CTA" <>
    Date: Sun, 6 Apr 2003 18:39:43 -0400

    This is my approach:

    First I would consider how your security policy defines and limits
    accessibility of security categories (grouping of system entities), in
    relation with clearances of subjects (Users / Processes) and
    classification of objects (Data).

    Considering that you want to connect an entity that is more secure,
    which I assume is sitting behind the firewall, to a less secure entity
    outside the firewall, and given that we do not know the security
    taxonomy of the current port / protocol, I would open a new port. If we
    enable a new port we can establish a specific set of security policies
    to maintain control over the subjects without compromising others.
    Moreover, moving this level-transitional-traffic (traffic moving between
    entities defined with different security level classifications) to a new
    Port theoretically reduces the system's overall security threat/risk
    ratio while improving the threat segregation response time (the time it
    takes to isolate different elements involved in a security threat).

    On 4 Apr 2003, at 15:53, Anton A. Chuvakin wrote:

    > All,
    > Sorry for this somewhat generic query, but I'd really want to
    > know the general consensus on the issue from the esteemed list
    > members. I have seen that such debates often spark on the list,
    > and I think summary (which might arise as a result of my query)
    > would be useful for everybody, so...
    > ...if to run a new application you'd have to either:
    > 1. open a new port
    > 2. accept tunneling over already open port/protocol
    > which would you choose?
    > To clarify, imagine you have to have something that need to talk
    > thru a firewall from a less secure compartment to a more secure
    > one. And the options are: open TCP port XXXXX (to the required
    > host only, of course), or tunnel over currently open (or proxied)
    > port 80?
    > Best,


    Chief Technology Architect
    Chief Security Officer
    Euclidean Systems, Inc.
    // "There is no expedient to which a man will not go
    // to avoid the pure labor of honest thinking."
    // Honest thought, the real business capital.
    // Observe> Think> Plan> Think> Do> Think>

    firewall-wizards mailing list

  • Next message: Barney Wolff: "Re: [fw-wiz] tunnel vs open a hole"

    Relevant Pages