Re: [fw-wiz] tunnel vs open a hole

• Previous message: Weil, Timothy R (BearingPoint): "[fw-wiz] RFC3514 - Evil Bit"
• In reply to: Anton A. Chuvakin: "[fw-wiz] tunnel vs open a hole"
• Next in thread: Marcus J. Ranum: "RE: [fw-wiz] tunnel vs open a hole"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Bill Royds" <broyds@rogers.com>
To: "Anton A. Chuvakin" <anton@chuvakin.org>, <firewall-wizards@honor.icsalabs.com>
Date: Tue, 8 Apr 2003 19:24:01 -0400

It does depend on what protocols you are passing through the port or the
tunnel.
If the protocol is pure HTTP (for some definition of pure HTTP), then an
HTTP security proxy can validate it and at least prevent some random garbage
or normalize it before allowing it past the firewall).
  Best would be to put the HTTP conformance proxy to listen on a separate
port. It would validate traffic but the traffic would be kept isolated from
other HTTP traffic in the system.

If the protocol is new whizbang multi-media binary with no RFC or complete
syntax review, then tunneling it over HTTP would not work with a good
application gateway, or would require funny MIME encoding that pretended to
be an allowed binary but connected to a special user agent that understood
the subterfuge. This would add tremendous overhead to the transmission while
subverting security (malicious servers could try to crash your whizbang
special client with standard HTTP ). Sending the data over its own
dedicated port would at least allow some monitoring and the ability to
isolate the stream on routers etc.
   If you can define the syntax of the protocol in a structured way, then
you could write a proxy for the firewall, but it would have the same risks
as the frontend for your application, but then on the firewall. So handling
it by a separate port with restricted connectivity seems the most secure.
   If you can add additional authentication such as using ISAKMP and
AH(which authenticates the packets but does not neccessarily encrypt them),
then you could be reasonably sure that the traffic came from the desired
sender and has not be tampered with on the way. IPSEC does not neccessarily
need encryption of data so that a log can be made of the actual usage of the
protocol, not just its existence.

----- Original Message -----
From: "Anton A. Chuvakin" <anton@chuvakin.org>
To: <firewall-wizards@honor.icsalabs.com>
Sent: Friday, April 04, 2003 4:53 PM
Subject: [fw-wiz] tunnel vs open a hole

: All,
:
: Sorry for this somewhat generic query, but I'd really want to know the
: general consensus on the issue from the esteemed list members. I have
: seen that such debates often spark on the list, and I think summary (which
: might arise as a result of my query) would be useful for everybody, so...
:
: ...if to run a new application you'd have to either:
:
: 1. open a new port
: 2. accept tunneling over already open port/protocol
:
: which would you choose?
:
: To clarify, imagine you have to have something that need to talk thru a
: firewall from a less secure compartment to a more secure one. And the
: options are: open TCP port XXXXX (to the required host only, of course),
: or tunnel over currently open (or proxied) port 80?
:
: Best,
: --
: Anton A. Chuvakin, Ph.D., GCI*
: http://www.chuvakin.org
: http://www.info-secure.org
:
: _______________________________________________
: firewall-wizards mailing list
: firewall-wizards@honor.icsalabs.com
: http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Weil, Timothy R (BearingPoint): "[fw-wiz] RFC3514 - Evil Bit"
• In reply to: Anton A. Chuvakin: "[fw-wiz] tunnel vs open a hole"
• Next in thread: Marcus J. Ranum: "RE: [fw-wiz] tunnel vs open a hole"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]