Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

firewall-wizards logo Firewall Wizards mailing list archives

Re: tunnel vs open a hole
From: "Bernie, CTA" <cta () hcsin net>
Date: Sun, 6 Apr 2003 18:39:43 -0400
This is my approach: 

First I would consider how your security policy defines and limits
accessibility of security categories (grouping of system entities), in
relation with clearances of subjects (Users / Processes) and
classification of objects (Data). 

Considering that you want to connect an entity that is more secure,
which I assume is sitting behind the firewall, to a less secure entity
outside the firewall, and given that we do not know the security
taxonomy of the current port / protocol, I would open a new port. If we
enable a new port we can establish a specific set of security policies
to maintain control over the subjects without compromising others.
Moreover, moving this level-transitional-traffic (traffic moving between
entities defined with different security level classifications) to a new
Port theoretically reduces the system's overall security threat/risk
ratio while improving the threat segregation response time (the time it
takes to isolate different elements involved in a security threat). 


On 4 Apr 2003, at 15:53, Anton A. Chuvakin wrote:


All,

Sorry for this somewhat generic query, but I'd really want to
know the general consensus on the issue from the esteemed list
members. I have seen that such debates often spark on the list,
and I think summary (which might arise as a result of my query)
would be useful for everybody, so...

...if to run a new application you'd have to either:

1. open a new port
2. accept tunneling over already open port/protocol

which would you choose?

To clarify, imagine you have to have something that need to talk
thru a firewall from a less secure compartment to a more secure
one. And the options are: open TCP port XXXXX (to the required
host only, of course), or tunnel over currently open (or proxied)
port 80?

Best,


-

-
****************************************************
Bernie 
Chief Technology Architect
Chief Security Officer
cta () hcsin net
Euclidean Systems, Inc.
*******************************************************
// "There is no expedient to which a man will not go 
//    to avoid the pure labor of honest thinking."   
//     Honest thought, the real business capital.    
//      Observe> Think> Plan> Think> Do> Think>      
*******************************************************

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]