Re: SSH tunneling/port forwarding and stateful packet inspection
From: Richard E. Silverman (res_at_qoxp.net)
Date: 02/27/04
- Previous message: Jay Walker: "scp between two remote machines"
- In reply to: steve: "Re: SSH tunneling/port forwarding and stateful packet inspection"
- Next in thread: Richard E. Silverman: "Re: SSH tunneling/port forwarding and stateful packet inspection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 27 Feb 2004 00:13:07 -0500
> If that is the case, then as I said in one of my responses to King
> Richard - then this is an inherent vulnerability and firewalls are
> pretty much useless for security. They are more or less a "control"
> mechanism to keep users from doing things.
You say this as if it were a surprise. It's not. Firewalls are not
"useless," but they have their limits, as does any particular technique.
In particular, any time you allow two parties an unrestricted channel
(e.g. the ability to form a TCP connection), they can do absolutely
anything they want with it -- including circuventing blocks you have put
in place to prevent communication on other channels. To prevent this, you
would have to shut off direct IP routing at your security border, and only
provide people with application-level proxies for specific protocols. And
you would have to be very careful that your proxies do not allow the
formation of unrestricted channels over themselves (e.g. the HTTP CONNECT
command). Even then, complete control is practically impossible due to
the existence covert or side channels. This is just the reality of how
communication works.
firewall != security
-- Richard Silverman res@qoxp.net
- Previous message: Jay Walker: "scp between two remote machines"
- In reply to: steve: "Re: SSH tunneling/port forwarding and stateful packet inspection"
- Next in thread: Richard E. Silverman: "Re: SSH tunneling/port forwarding and stateful packet inspection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
