Firewall Wizards mailing list archives
Re: encapsulated protocols?
From: Bennett Todd <bet () rahul net>
Date: Wed, 4 Feb 1998 03:36:07 -0800
1998-02-03-16:43:26 Mark Horn:
Lately, I've noticed an increasing number of network protocols that are encapsulating themselves over existing protocols. And then using some of our proxies to navigate anywhere on the Internet. [...] Does anyone have any clever ideas as to how to prevent this encapsulation trick?
In general, you can't; a sufficiently-determined tunneler can make their traffic look sufficiently legitimate to pass any automated scanner. However, I'd doubt anybody would be devoting themselves to serious Stegonography to conceal their tunnels just yet, so if you wanted to catch the easy ones, it ought to suffice to have your http proxy check MIME types against an "approved" list, and do some quick content checks to ensure that it at least looks a little like the indicated MIME type. Of course if you want to enforce this level of control you into the same big limitation as if you intend to try to strip out applets: you can't pass SSL, until and unless someone comes out with a man-in-the-middle SSL proxy. Happily, I'm expecting one not too long after Netscape 5.0 sources hit the street:-). -Bennett
Current thread:
- Re: IPsec and firewalls, (continued)
- Re: IPsec and firewalls carson (Feb 09)
- Re: IPsec and firewalls Aleph One (Feb 09)
- Re: IPsec and firewalls carson (Feb 09)
- Re: IPsec and firewalls Adam Shostack (Feb 09)
- Re: IPsec and firewalls carson (Feb 09)
- Effect of full disk on logging under FW-1 v 2.1? Bret Watson (Feb 09)
- Re: IPsec and firewalls Ted Doty (Feb 09)
- Re: encapsulated protocols? Aleph One (Feb 07)
- Re: encapsulated protocols? Adam Shostack (Feb 07)
- Re: encapsulated protocols? Larry J. Hughes Jr. (Feb 09)
- Re: encapsulated protocols? Jeromie Jackson (Feb 07)
- Re: encapsulated protocols? Marcus J. Ranum (Feb 09)