Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: tunnel vs open a hole

From: Barney Wolff <barney () pit databus com>
Date: Sun, 6 Apr 2003 21:05:16 -0400
On Sun, Apr 06, 2003 at 02:59:37PM -0400, Marcus J. Ranum wrote:


Protocol-over-protocol "attacks" mooted firewalls a loooooooong time
ago. We've just been cheerfully ignoring that fact. I was tunnelling
IP packets uuencoded over smtp back in the early 1990's (I guess
it would have been 1993 or -4) and got good enough RTTs that I
could even NFS-mount filesystems across a firewall once I had
tuned the NFS timeouts and retries correctly.


With all due respect, this is something of an overstatement.  Tunneling
requires a cooperating agent on the inside.  The security policy of
that agent becomes part of your firewall.

In the good old days, the definition of "firewall" was "that which
implements your security policy" rather than "the box with that label".

The implication of this reasoning is clear:  If you don't control the
internal tunnel endpoint(s), you don't control your security policy.

-- 
Barney Wolff         http://www.databus.com/bwresume.pdf
I'm available by contract or FT, in the NYC metro area or via the 'Net.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: