Firewall Wizards mailing list archives
Re: encapsulated protocols?
From: Jeromie Jackson <jeromie () garrison com>
Date: Mon, 09 Feb 1998 11:40:35 -0800
Author: "Mark Horn [ Net Ops ]" <mhorn () funb com> Date: 2/3/98 11:43 AM[Snip]Lately, I've noticed an increasing number of network protocols that are encapsulating themselves over existing protocols. And then using some of our proxies to navigate anywhere on the Internet.[Snip]This kinda scares me. One of the premises of running a firewall is that you explicitly deny any protocol that is unknown. Well, if new protocols are encapsulating themselves into known protocols, how can you keep a handle on what protocols are running through the firewall?
Have you not seen the advancements in several firewall products that address this type of encapsulation? For example in Gauntlet 4.0a you can say you deny everything on the http port other than standard http. Encapsulated data is dropped. Then you look @ the elaborate configuration capable for FTP filtering and such... I would agree that items such as tunneling, and potentially the kerberos issues that may come to pass based on NT pose serious risk, however, I would definitely have to disagree that packet filters are worthy to be considered what the market will end up all buying. Encapsulated protocols could be considered covert in relation to how proxies view them. This being said, you will never get rid of them entirely. However, would you rather just let them in (Ie: have a packet filter), or would you prefer to mitigate the risk (ie: proxy)? Security is not a 100% security solution, it's RISK MITIGATION. Being a consultant myself, I would agree that it's hard to sometimes explain to ignorant people about security mechanisms, although within 10 minutes I can describe DAC & MAC to laymen. I would hardly say the knowledge barrier has to keep non-security people from understanding the concepts behind the technologies. P.S. in reality the majority of the commercial market demands the use insecure services be implemented in order to processes their business transactions. I can't tell you how many times I've heard "it's a business requirement, management won't listen to my security pleas". This being said, why worry, let's just all go get a few beers. 8-) =-=-=-=-=-=-=-=-=-=-=-=-==-= Jeromie Jackson - CISSP Senior Security Engineer Garrison Technologies 512-302-0882 or 760-633-1843 jeromie () garrison com WWW- http://www.garrison.com =-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Current thread:
- Re: IPsec and firewalls, (continued)
- Re: IPsec and firewalls carson (Feb 09)
- Re: IPsec and firewalls Adam Shostack (Feb 09)
- Re: IPsec and firewalls carson (Feb 09)
- Effect of full disk on logging under FW-1 v 2.1? Bret Watson (Feb 09)
- Re: IPsec and firewalls Ted Doty (Feb 09)
- Re: encapsulated protocols? Aleph One (Feb 07)
- Re: encapsulated protocols? Adam Shostack (Feb 07)
- Re: encapsulated protocols? Larry J. Hughes Jr. (Feb 09)
- Re: encapsulated protocols? Jeromie Jackson (Feb 07)
- Re: encapsulated protocols? Marcus J. Ranum (Feb 09)