Re: [fw-wiz] tunnel vs open a hole
From: Crispin Cowan (crispin@wirex.com)
Date: 04/07/03
- Previous message: Marcus J. Ranum: "Re: [fw-wiz] tunnel vs open a hole"
- In reply to: Barney Wolff: "Re: [fw-wiz] tunnel vs open a hole"
- Next in thread: Barney Wolff: "Re: [fw-wiz] tunnel vs open a hole"
- Reply: Barney Wolff: "Re: [fw-wiz] tunnel vs open a hole"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Crispin Cowan <crispin@wirex.com> To: Barney Wolff <barney@pit.databus.com> Date: Sun, 06 Apr 2003 21:26:07 -0700
Barney Wolff wrote:
>On Sun, Apr 06, 2003 at 02:59:37PM -0400, Marcus J. Ranum wrote:
>
>
>>Protocol-over-protocol "attacks" mooted firewalls a loooooooong time
>>ago. We've just been cheerfully ignoring that fact. I was tunnelling
>>IP packets uuencoded over smtp back in the early 1990's (I guess
>>it would have been 1993 or -4) and got good enough RTTs that I
>>could even NFS-mount filesystems across a firewall once I had
>>tuned the NFS timeouts and retries correctly.
>>
>>
>With all due respect, this is something of an overstatement. Tunneling
>requires a cooperating agent on the inside. The security policy of
>that agent becomes part of your firewall.
>
The scary "gotcha": what if the "cooperating agent" on the inside is a
worm or a virus?
Crispin
-- Crispin Cowan, Ph.D. http://wirex.com/~crispin/ Chief Scientist, WireX http://wirex.com HP/Trend Micro Immunix Secured Solutions http://h18000.www1.hp.com/products/servers/solutions/iis/ Just say ".Nyet" _______________________________________________ firewall-wizards mailing list firewall-wizards@honor.icsalabs.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Marcus J. Ranum: "Re: [fw-wiz] tunnel vs open a hole"
- In reply to: Barney Wolff: "Re: [fw-wiz] tunnel vs open a hole"
- Next in thread: Barney Wolff: "Re: [fw-wiz] tunnel vs open a hole"
- Reply: Barney Wolff: "Re: [fw-wiz] tunnel vs open a hole"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
