[fw-wiz] socks (was Re: FEP - Firewall enhancement protocol)

From: Bennett Todd (bet_at_rahul.net)
Date: 07/29/04

  • Next message: Bennett Todd: "Re: [fw-wiz] socks (was Re: FEP - Firewall enhancement protocol)"
    To: firewall-wizards@honor.icsalabs.com
    Date: Wed, 28 Jul 2004 22:51:12 +0000

    2004-07-26T20:25:56 ArkanoiD:
    > (Yes, i don't like socks. It provides no protocol knowledge and
    > may lead into punching gaping holes in the firewall when used
    > without proper restrictions. You may even bind external ports with
    > it!)

    I have to admit I like socks. Glad it's in my toolchest.

    Protocol-specific proxies are certainly what I reach for first, and
    Just Say No is a favourite approach.

    But socks can be significantly nicer than the alternatives I
    know of when there's a business need to allow a protocol, which
    cannot be effectively man-in-the-middled, and which doesn't have a
    builtin wrapper allowing user authentication and entitlements. SSL
    and ssh are examples that leap to mind. While socks provides no
    more protocol-specific protection than simply port forwarding or
    plug-gw-style proxies, it can enable authentication and fine-grained
    entitlements. Pick and choose who is allowed to connect to what over
    which ports, require them to authenticate as users (rather than
    having to trust the client IP), and log who connected where, and

    I'm looking forward to the day when we can instead deploy
    springboard servers for such services, and users authorized to use
    the services run them via script that actually runs the
    security-worrisome app in a sandbox in the DMZ. We're getting there,
    not quite got all the bits yet.



    firewall-wizards mailing list

  • Next message: Bennett Todd: "Re: [fw-wiz] socks (was Re: FEP - Firewall enhancement protocol)"