Firewall Wizards mailing list archives
Re: dns outbound
From: "Ge' Weijers" <ge () progressive-systems com>
Date: Wed, 19 May 1999 10:52:02 -0400
On Tue, May 18, 1999 at 09:55:15AM -0700, chuck wrote:
The answers out there seem to be 'protocol aware' proxies or filters. Checkpoint claims that they look 'into' various protocols to make sure it's http or dns. Of course it *IS* http or dns, the issue is looking into the stream more and figuring out that the payload is ICQ or similiar. Oh yeah, don't slow down the proxy while doing so.
It'll be _very_ easy to add enough obfuscation to the HTTP transfer to make sure that the HTTP proxy or MLSI filter won't have a clue. A little encryption will go far, even with a 20-bit key to keep the NSA^H^H^Hlaw enforcement happy. It may pollute a Squid cache, but it'll get through. I'm tempted to write an internet draft 'General Purpose stealth tunneling through HTTP', just to make a point. Ge' -- - Ge' Weijers Voice: (614)326 4600 Progressive Systems, Inc. FAX: (614)326 4601 2000 West Henderson Rd. Suite 400, Columbus OH 43220
Current thread:
- dns outbound Deepak Vaidya (May 16)
- Re: dns outbound Lance Spitzner (May 17)
- Re: dns outbound Larry Chin (May 17)
- RE: dns outbound Thomas Crowe (May 18)
- Re: dns outbound Joseph S D Yao (May 17)
- <Possible follow-ups>
- Re: dns outbound David Goldsmith (May 17)
- RE: dns outbound Buckley, Neil (May 17)
- Re: dns outbound Ryan Russell (May 17)
- Re: dns outbound Marcus J. Ranum (May 18)
- Re: dns outbound chuck (May 18)
- Re: dns outbound Ge' Weijers (May 19)
- Re: dns outbound Matt McClung (May 18)
- Re: dns outbound Darren Reed (May 18)
- Re: dns outbound Bennett Todd (May 19)
- Re: dns outbound Marcus J. Ranum (May 18)
- Re: dns outbound Deepak Vaidya (May 17)
- Re: dns outbound wyllys (May 18)
- Re: dns outbound David Gillett (May 19)
- Re: dns outbound wyllys (May 21)
- Re: dns outbound Bennett Todd (May 19)