Re: [fw-wiz] IPS vs. Firewalls (why vs. ?)

Marcus J. Ranum wrote:

This is exactly what I meant about whether a device is internally designed
around 'default permit' or 'default deny'. A device that is aimed toward
default deny would know what totally vanilla HTTP looked like and would
discard anything that was not exactly plain HTTP.

I made a similar comment.

Protocol-over-protocol tunnelling is nothing new. But step back and ask
yourself "why tunnel protocol over protocol"?? There is actually no real
reason for tunnelling except to make it easier to bypass controls, right?
After all, if we use SSL on port 443 for "https" and SSL on port 993
for "imap" etc, it's clear that we can use protocol layering without
trying to violate policy... So I, frankly, I feel that if I see instant messenger
traffic on my HTTP service that I've caught someone with their hand in
the cookie jar, so to speak. Time to cut it off...

Yep.

Remember, a lot of these tunnelled protocols are billed as being
"firewall friendly."

The marketing euphemism is "firewall aware" not "firewall friendly".

To truly understand what firewall administrators are up against, read the Skype firewall FAQ at http://www.skype.com/help/guides/firewall.html

One statement that stands out among all others as most onerous:

"Ideally, outgoing TCP connections to all ports (1..65535) should be opened. This option results in Skype working most reliably. This is only necessary for your Skype to be able to connect to the Skype network and will not make your network any less secure."

I think I've identified candidate skulss for those .50 BMG SLAP rounds you mentioned. begin:vcard
fn:David Piscitello
n:Piscitello;David
adr;dom:;;3 Myrtle Bank Lane;Hilton Head;SC;29926
email;internet:dave@xxxxxxxxxxx
x-mozilla-html:FALSE
url:http://hhi.corecom.com/weblogindex.htm
version:2.1
end:vcard

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Relevant Pages

  • Re: Block Skype using ISA 2004
    ... close all not necessary outgoing ports ... blocking specific http traffic could be accomplished per http filtering ... Because Skype is programmed and even gets improved in bypassing nearly ...
    (microsoft.public.isa)
  • Re: [Full-disclosure] [inbox] Re: [ Capture Skype trafic ]
    ... but that document outlines HOW Bluecoat can and does block Skype. ... A packet or protocol anaylizer Proxy will block anything that is NOT ... Skype does not conform to HTTP ...
    (Full-Disclosure)
  • Re: Not able to allow skype
    ... week ago I saw in the monitoring that it's trying to go over port 33033. ... Sometimes you are able to sign in to skype but not to call. ... will have trouble then connecting from home with a proxy filled in. ... Can it be something to do with the webproxy filter which is on for http ...
    (microsoft.public.isa)
  • RE: Blocking messengers like msn, skype etc
    ... setup a protocol rule to only allow http. ... then setup a destination set with the skype ip range/dns names. ... > I want to allow only normal http traffic on client pc's. ... > in the firewall client setting in ISA? ...
    (microsoft.public.isa.configuration)
  • Re: activesync and exchange http
    ... Http users experience slow performance. ... On the SBS 2003 Server open the Server Management console. ... For the configuration of Cisco firewall, since that's third party product, ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)