Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

firewall-wizards logo Firewall Wizards mailing list archives

Re: tunnel vs open a hole
From: Crispin Cowan <crispin () wirex com>
Date: Mon, 07 Apr 2003 12:09:16 -0700
Barney Wolff wrote:


On Sun, Apr 06, 2003 at 09:26:07PM -0700, Crispin Cowan wrote:

(BW wrote)
With all due respect, this is something of an overstatement.  Tunneling
requires a cooperating agent on the inside.  The security policy of
that agent becomes part of your firewall.
The scary "gotcha": what if the "cooperating agent" on the inside is a worm or a virus? 
But saying that firewall technology is imperfect is different than saying
it's not worth using.  Would any expert go that far?  The message is
instead that defense in depth and strategies for detecting and handling
breaches are required.
My main message is that firewalls are useful for keeping bad stuff out, but hopeless for keeping secret stuff in, for precisely the above reasons. I have taught this in class <http://www.cse.ogi.edu/%7Ecrispin/527/>, and it surprises a fair number of people. Many assume that you can configure a firewall to block outgoing traffic, and that stops the traffic. Nope: most firewalls pass HTTP on port 80, and nearly all pass DNS. In either case, you can encode your traffic to pass out of the network over those protocols. Therefore: 

   * You can use firewalls as a first line of defense.
   * You can use firewalls as your /only/ line of defense if your needs
     are very simple and threat level is low.
   * Otherwise you are going to need secondary defenses. I recommend
     using secure operating systems on your critical servers, but then
     again I sell such operating systems, so caveat emptor :-)

Crispin

--
Crispin Cowan, Ph.D.                      http://wirex.com/~crispin/
Chief Scientist, WireX                    http://wirex.com
HP/Trend Micro Immunix Secured Solutions
http://h18000.www1.hp.com/products/servers/solutions/iis/
                            Just say ".Nyet"


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]