[fw-wiz] Instance Messengers and Firewalls

From: suren (suren_at_intotoinc.com)
Date: 08/26/04

  • Next message: suren: "[fw-wiz] IPv6 and IPSec" 
    To: firewall-wizards@honor.icsalabs.com
Date: 26 Aug 2004 10:40:32 -0700

    Hi,
       MSN, AOL and ICQ Messengers came long way and they traverse
       through NAT/NAPT devices smoothly. IMs make use of 'Address Binding'
       (Section 3.1, rfc 3022) features of NAT devices to support Peer to
       Peer functionality, such as Audio/Video etc..

       But, they are not as friendly for Firewalls. Since the destination
       IP and Port of peer are unknown at the time of configuration of
       firewall policies, Administartor may be forced to allow all
       connections to all ports. This is not good for security perspective.
       If the firewalls have Application intelligence of these protocols,
       they could only open temporary holes to allow data conenctions of
       these IMs. These protocols are proprietary and ever changing and it
       is also observed some times, they go for encrypting the data.
       So, firewalls can't be trusted to have support for new IMs
       immediately.

        These IMs have configuration for SOCKS5, which is meant for
        authenticated firewall traversal. But, it seems that these IMs
        did not implement UDP related commands of SOCKS5. SOCK5 proxies
        can't be used for this purpose. Is my understading right?

        Is there any other way to allow IMs without allowing all
        outbound connections?

    Thanks,
    Suren
    www.intoto.com

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: suren: "[fw-wiz] IPv6 and IPSec"