Re: [fw-wiz] tunnel vs open a hole
From: Bernie, CTA (cta@hcsin.net)
Date: 04/07/03
- Previous message: Mikael Olsson: "Re: [fw-wiz] tunnel vs open a hole"
- In reply to: Anton A. Chuvakin: "[fw-wiz] tunnel vs open a hole"
- Next in thread: Christine Kronberg: "Re: [fw-wiz] tunnel vs open a hole"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Bernie, CTA" <cta@hcsin.net> To: firewall-wizards@honor.icsalabs.com Date: Sun, 6 Apr 2003 18:39:43 -0400
This is my approach:
First I would consider how your security policy defines and limits
accessibility of security categories (grouping of system entities), in
relation with clearances of subjects (Users / Processes) and
classification of objects (Data).
Considering that you want to connect an entity that is more secure,
which I assume is sitting behind the firewall, to a less secure entity
outside the firewall, and given that we do not know the security
taxonomy of the current port / protocol, I would open a new port. If we
enable a new port we can establish a specific set of security policies
to maintain control over the subjects without compromising others.
Moreover, moving this level-transitional-traffic (traffic moving between
entities defined with different security level classifications) to a new
Port theoretically reduces the system's overall security threat/risk
ratio while improving the threat segregation response time (the time it
takes to isolate different elements involved in a security threat).
On 4 Apr 2003, at 15:53, Anton A. Chuvakin wrote:
> All,
>
> Sorry for this somewhat generic query, but I'd really want to
> know the general consensus on the issue from the esteemed list
> members. I have seen that such debates often spark on the list,
> and I think summary (which might arise as a result of my query)
> would be useful for everybody, so...
>
> ...if to run a new application you'd have to either:
>
> 1. open a new port
> 2. accept tunneling over already open port/protocol
>
> which would you choose?
>
> To clarify, imagine you have to have something that need to talk
> thru a firewall from a less secure compartment to a more secure
> one. And the options are: open TCP port XXXXX (to the required
> host only, of course), or tunnel over currently open (or proxied)
> port 80?
>
> Best,
-
-
****************************************************
Bernie
Chief Technology Architect
Chief Security Officer
cta@hcsin.net
Euclidean Systems, Inc.
*******************************************************
// "There is no expedient to which a man will not go
// to avoid the pure labor of honest thinking."
// Honest thought, the real business capital.
// Observe> Think> Plan> Think> Do> Think>
*******************************************************
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Mikael Olsson: "Re: [fw-wiz] tunnel vs open a hole"
- In reply to: Anton A. Chuvakin: "[fw-wiz] tunnel vs open a hole"
- Next in thread: Christine Kronberg: "Re: [fw-wiz] tunnel vs open a hole"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
