Firewall Wizards mailing list archives
Re: tunnel vs open a hole
From: Barney Wolff <barney () pit databus com>
Date: Sun, 6 Apr 2003 21:05:16 -0400
On Sun, Apr 06, 2003 at 02:59:37PM -0400, Marcus J. Ranum wrote:
Protocol-over-protocol "attacks" mooted firewalls a loooooooong time ago. We've just been cheerfully ignoring that fact. I was tunnelling IP packets uuencoded over smtp back in the early 1990's (I guess it would have been 1993 or -4) and got good enough RTTs that I could even NFS-mount filesystems across a firewall once I had tuned the NFS timeouts and retries correctly.
With all due respect, this is something of an overstatement. Tunneling requires a cooperating agent on the inside. The security policy of that agent becomes part of your firewall. In the good old days, the definition of "firewall" was "that which implements your security policy" rather than "the box with that label". The implication of this reasoning is clear: If you don't control the internal tunnel endpoint(s), you don't control your security policy. -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Application requires VPN - How are these handled? Michele Jordan (Apr 01)
- Re: Application requires VPN - How are these handled? Mikael Olsson (Apr 01)
- Re: Application requires VPN - How are these handled? Paul Robertson (Apr 01)
- Re: Application requires VPN - How are these handled? Mikael Olsson (Apr 01)
- Re: Application requires VPN - How are these handled? Paul Robertson (Apr 01)
- Re: Application requires VPN - How are these handled? Mike Scher (Apr 02)
- tunnel vs open a hole Anton A. Chuvakin (Apr 06)
- Re: tunnel vs open a hole Marcus J. Ranum (Apr 06)
- Re: tunnel vs open a hole Barney Wolff (Apr 06)
- Re: tunnel vs open a hole Marcus J. Ranum (Apr 06)
- Re: tunnel vs open a hole Crispin Cowan (Apr 07)
- Re: tunnel vs open a hole Barney Wolff (Apr 07)
- Re: tunnel vs open a hole Crispin Cowan (Apr 07)
- Re: Application requires VPN - How are these handled? Paul Robertson (Apr 01)
- Re: Application requires VPN - How are these handled? Mikael Olsson (Apr 01)
- Re: tunnel vs open a hole Dave Piscitello (Apr 08)
- Re: tunnel vs open a hole Frederick M Avolio (Apr 08)
- Re: tunnel vs open a hole Adam Shostack (Apr 08)
- Re: tunnel vs open a hole Dave Piscitello (Apr 08)
- Re: tunnel vs open a hole Frederick M Avolio (Apr 09)
- Re: tunnel vs open a hole Frank Knobbe (Apr 08)