Firewall Wizards mailing list archives

Re: encapsulated protocols?

From: Jeromie Jackson <jeromie () garrison com>
Date: Mon, 09 Feb 1998 11:40:35 -0800

Author:  "Mark Horn [ Net Ops ]" <mhorn () funb com> 
Date:    2/3/98 11:43 AM

    
[Snip]

Lately, I've noticed an increasing number of network protocols that are 
encapsulating themselves over existing protocols.  And then using some of 
our proxies to navigate anywhere on the Internet.


[Snip]

This kinda scares me.  One of the premises of running a firewall is that 
you explicitly deny any protocol that is unknown.  Well, if new protocols 
are encapsulating themselves into known protocols, how can you keep a 
handle on what protocols are running through the firewall?



Have you not seen the advancements in several firewall products that
address this type of encapsulation?  For example in Gauntlet 4.0a you can
say you deny everything on the http port other than standard http.
Encapsulated data is dropped.  Then you look @ the elaborate configuration
capable for FTP filtering and such... I would agree that items such as
tunneling, and potentially the kerberos issues that may come to pass based
on NT pose serious risk, however, I would definitely have to disagree that
packet filters are worthy to be considered what the market will end up all
buying.

Encapsulated protocols could be considered covert in relation to how
proxies view them.  This being said, you will never get rid of them
entirely.  However, would you rather just let them in (Ie: have a packet
filter), or would you prefer to mitigate the risk (ie: proxy)?  Security is
not a 100% security solution, it's RISK MITIGATION.

Being a consultant myself, I would agree that it's hard to sometimes
explain to ignorant people about security mechanisms, although within 10
minutes I can describe  DAC & MAC to laymen.  I would hardly say the
knowledge barrier has to keep non-security people from understanding the
concepts behind the technologies.

P.S. in reality the majority of the commercial market demands the use
insecure services be implemented in order to processes their business
transactions.  I can't tell you how many times I've heard "it's a business
requirement, management won't listen to my security pleas".  This being
said, why worry, let's just all go get a few beers. 8-)


=-=-=-=-=-=-=-=-=-=-=-=-==-=

Jeromie Jackson - CISSP
Senior Security Engineer
Garrison Technologies
512-302-0882 or
760-633-1843
jeromie () garrison com
WWW- http://www.garrison.com
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Current thread:

Re: IPsec and firewalls, (continued)
- - - Re: IPsec and firewalls carson (Feb 09)
    - Re: IPsec and firewalls Adam Shostack (Feb 09)
    - Re: IPsec and firewalls carson (Feb 09)
    - Effect of full disk on logging under FW-1 v 2.1? Bret Watson (Feb 09)
    - Re: IPsec and firewalls Ted Doty (Feb 09)
    - Re: encapsulated protocols? Aleph One (Feb 07)
    - Re: encapsulated protocols? Adam Shostack (Feb 07)
    - Re: encapsulated protocols? Larry J. Hughes Jr. (Feb 09)
- Re: encapsulated protocols? Bennett Todd (Feb 04)
- Re: encapsulated protocols? Rick_Giering_at_mpg003 (Feb 06)
  - Re: encapsulated protocols? Jeromie Jackson (Feb 07)
- Re: encapsulated protocols? dharris (Feb 06)
- Re: encapsulated protocols? Itai Dor-on (Feb 07)
  - Re: encapsulated protocols? Marcus J. Ranum (Feb 09)
- Re: encapsulated protocols? Steve Bellovin (Feb 09)