|
Firewall Wizards
mailing list archives
Re: tunnel vs open a hole
From: Christine Kronberg <Christine_Kronberg () genua de>
Date: Mon, 7 Apr 2003 11:50:21 +0200 (CEST)
Hi,
Sorry for this somewhat generic query, but I'd really want to know the
general consensus on the issue from the esteemed list members. I have
seen that such debates often spark on the list, and I think summary (which
might arise as a result of my query) would be useful for everybody, so...
...if to run a new application you'd have to either:
1. open a new port
2. accept tunneling over already open port/protocol
which would you choose?
A new port. To get a separation between the existing and the
new traffic. If there is anything funny going on on the one
port the other is not affected (concerning closing or
reconfiguring).
There is one situation where I definitely choose the
existing port: if it means I have to open many, many
ports on the firewall. In this case I prefer them all
coming through the same port outside to a specific
host in a DMZ. From there then required ports are opened
to the more secure zone. (Ok, re-reading that it is, too,
a "choose a new port" :-) ).
To clarify, imagine you have to have something that need to talk thru a
firewall from a less secure compartment to a more secure one. And the
options are: open TCP port XXXXX (to the required host only, of course),
or tunnel over currently open (or proxied) port 80?
As port 80 usually means http: Never do that. If you want to
tunnel use some more secure protocol which gives you some kind
of confidentiality (ssh, ssl) on your way from the less secure
compartment to the more secure one.
Cheers,
Chris.
--
GeNUA mbH
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
 By Date 
By Thread
Current thread:
|
Intro
