Re: Citrix ICA through port 80?

["TC Wolsey" <twolsey () realtech com>]

> Lance Spitzner <lance () ksni net> 02/15/00 01:10AM 
> On Sat, 12 Feb 2000, Crispin Cowan wrote:
>
> > Firewalls are to keep the bad packets out.  Firewalls are completely
> > ineffective at keeping the users in.  They were not designed to contain
> > users, and are completely incapable of containing a determined user.
>
> I'm going to disagree with you on this one :)  Firewalls are
> designed to enforce policy.  They do not work in only "one" direction,
> they work however you configure them to. You state the firewalls only 
> keep users out.  How does a firewall know what is 'out' and 'what' is 
> in, they don't.  Below you give an example of how traffic can be tunneled,
> any user can do this, in or out.  In general, outbound rules do tend
> to be easier to subvert.  However, with your DNS example, if that is
> allowed inbound, it to can be tunneled.
>
> > For a counter-example to the idea of using firewalls to contain inside
> > users, consider MJR's demo-ware that implemented TCP/IP over top of DNS
> > requests.  If you can get any data at all out, then you can put TCP/IP on
> > top of it, and from there you can do anything.
>
> > Thus for security purposes, firewalls are strictly access control devices
> > to control what outsiders can do to your inside.  Your firewall may be
> > performing some kind of control on what your inside users can pass out,
> > but it is strictly a convenience factor.  A determined user can always
> > push out if they want to.
>
> A firewall is basically a ACL device, definitely agree.  Yes, a determined
> user can subvert outbound access (httptunnel).  However, based on most
> production rulebases I have seen, they can also be subverted inbound.

Inbound channels can only be subverted if the consumer of the information evaluates it in a different context than the 
firewall. It is really about the difference between content and context. Firewalls (hopefully) evaluate the content of 
the data stream but they must make some assumptions about how the endpoints use that data stream. If you control the 
inside host that uses the inbound data and you are sure that the inside host and the firewall have the same ideas about 
what effects the content will have, you are set. If the firewall sees content that it judges to be benign (say ICMP 
echo payload) but the inside host uses that content for something other than the usual diagnostic pupose (control of a 
DDoS agent) there are problems. 

> This is why I am a big fan of proper rule base design.  Personally,
> I feel there is too much discussion on the techinical merits of
> competing firewalls, and too little discussion on their implementation (i.e.,
> architecture and rulebase design).

Any access control method has some assumptions made during the design phase. The control method can be correct, but it 
is only effective as long as the assumptions made regarding the environment are correct. 

I have to agree that more discussion on the implementation of secured networks and environments would be encouraging, 
at least until I can find the checkbox in the firewall GUI that reads 'Secure the environment surrounding this 
firewall' - don't think that I have not looked ;-)

> Lance Spitzner
> http://www.enteract.com/~lspitz/papers.html 

Regards,

tcw