Re: [fw-wiz] tunnel vs open a hole

• Previous message: Luca Berra: "Re: [fw-wiz] Antivirus on a free UN*X (Linux/*BSD) platform"
• In reply to: Anton A. Chuvakin: "Re: [fw-wiz] tunnel vs open a hole"
• Next in thread: Mikael Olsson: "Re: [fw-wiz] tunnel vs open a hole"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: Dave Rinker <firewall@dsrtech.com>
To: firewall-wizards@honor.icsalabs.com
Date: 07 Apr 2003 15:55:35 -0400

I would have to concur with the majority. Opening a new port, hardening
the host and beefing up the log monitors to this host looks to be the
best solution.

I believe we all have "swiss cheese" firewalls in one regard or another.
I personally dislike my cheesy FW but have to deal with it just the
same. The best we can do is log, monitor, and more monitoring and catch
it the moment it happens. At least this way we can lock down the port or
host and prevent a disaster.

Good topic! thanks.

On Mon, 2003-04-07 at 11:21, Anton A. Chuvakin wrote:
> All,
>
> Thanks for lots of great responses! Before asking the question, it seemed
> to me that opening a port also made more sense, and now I am even more
> convinced of that.
>
> > As port 80 usually means http: Never do that. If you want to
> Certainly.
>
> However, surely people started to httptunnel not just because if was a fun
> thing to do? I suspect it was in part due to the fact that in some
> environments, admins were reallly hard to convince that opening another
> port is possible WHILE allowing almost unrestructred web access. It might
> seem like a contradiction in their security policy, but surely you'd know
> of places where it is done exactly like that. Additionally, what if
> opening a port turns into "lets open yet another port in our swiss-cheese
> firewall and pray this application can't be exploited"? Will tunneling be
> justified in this case? Will it not reduce security a bit less than
> opening a port?
>
> Best,

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Luca Berra: "Re: [fw-wiz] Antivirus on a free UN*X (Linux/*BSD) platform"
• In reply to: Anton A. Chuvakin: "Re: [fw-wiz] tunnel vs open a hole"
• Next in thread: Mikael Olsson: "Re: [fw-wiz] tunnel vs open a hole"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: A firewall wont stop this one ... On top of that I implement IPF on each host ... >> for further access control to limit NFS, ... By restricting access to the NFS server. ... >> via port filtering that only allowed specific hosts rather than all. ... (alt.computer.security) Re: Configuring SBS to allow Remote Access ... definitely will continue to host the website elsewhere as ... pointing to the SBS server. ... >Port 80 does not need to be opened just to use RRW. ... >else host your web site or but the web site on a ... (microsoft.public.backoffice.smallbiz2000) Re: REMOTE DESKTOP NOT WORKING ANY LONGER PLEASE HELP! ... I understand that you have checked in the registry *which* port is ... Is the host located at your work? ... be a centrally managed GPO which disables Remote Desktop ... Noest MCSE, CCEA, Microsoft MVP - Terminal Server ... (microsoft.public.windows.terminal_services) Re: REMOTE DESKTOP NOT WORKING ANY LONGER PLEASE HELP! ... Yes the host is listening on port 3389 the default and I verified this. ... Try connecting again. ... (microsoft.public.windows.terminal_services) Re: FreeBSD and SIP friendly NAT: possible? ... use so that siproxd will register with the remote SIP server. ... to send incoming UDP on port 5060 and the RTP ports to? ... port forwarding on the gateway will only allow one host to connect, ... multiple hosts behind a NAT gateway to use the same public IP, ... (comp.unix.bsd.freebsd.misc)