Firewall Wizards mailing list archives

Re: httport 3snf

From: Paul Robertson <proberts () patriot net>
Date: Mon, 21 Oct 2002 18:30:00 -0400 (EDT)

On Mon, 21 Oct 2002, Christopher Hicks wrote:


It's a never ending game.  Even if you could detect SSL (which would
require a load of CPU), there's no reason someone can't switch to a
different method of encryption.  Let me give you two examples.  We have a
couple of friends that work for large stupid companies that would rather
those large stupid IT people not watch their personal e-mail and browsing
activities.  Since these folks are carrying in their own personal linux
laptops I don't feel terribly immoral about helping them this.  (I'm sort
of fond of privacy myself.)  Anyway, neither of the folks I have in mind
uses SSL to do what they're doing.  It's not a matter of avoiding SSL
either, it's just a matter of their individual geek preferences.  
Individual A ** uses ssh and is quite happy with pine and lynx and doesn't
want to configure anything.  ssh doesn't use SSL and your imagined SSL
blocker would have no effect on them.  You can use AIM knock-offs through


When I was the evil firewall BOFH in a large stupid company, your friends 
wouldn't have gotten SSH out of my firewall.

encrypted.  So, I don't think your imaginary SSL blocker would have the
hoped-for result.


Depends on what traffic is *allowed* out of the firewall.  My lusers had 
http, ftp (through the browser), SMTP through gateways and DNS through a 
controlled server.  HTTP tunneling was about the only realistic vector- 
and authentication made that at least difficult.

Someone else suggested becoming authoritative for the big IM domains 
(aol.com, etc.)  This won't help you unless they're using your DNS servers 
and even if you hose your own DNS servers so things won't work there's 
nothing to stop the miscreants from using other DNS servers, through a 
tunnel if necessary.


For AIM, blocking the OSCAR and TOC login servers are all that's 
necessary.  Not real difficult- I'm pretty sure ICQ is about the same.


Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

httport 3snf Robert E. Martin (Oct 21)
- Re: httport 3snf Devdas Bhagat (Oct 21)
- Re: httport 3snf Christopher Hicks (Oct 21)
  - Re: httport 3snf Ryan M. Ferris (Oct 21)
    - Re: httport 3snf Christopher Hicks (Oct 21)
    - Re: httport 3snf Ryan M. Ferris (Oct 21)
    - Re: httport 3snf Christopher Hicks (Oct 21)
    - Re: httport 3snf Paul Robertson (Oct 21)
    - Re: httport 3snf Paul Robertson (Oct 21)
    - Re: httport 3snf Ryan M. Ferris (Oct 21)
    - Re: httport 3snf Paul D. Robertson (Oct 21)
    - Re: httport 3snf Duncan (Oct 22)
    - Re: httport 3snf Paul D. Robertson (Oct 22)
    - Re: httport 3snf Duncan (Oct 22)
    - Re: httport 3snf Paul Robertson (Oct 22)
    - Re: httport 3snf R. DuFresne (Oct 22)
    - Re: httport 3snf Robert E. Martin (Oct 22)
    - Re: httport 3snf Paul Robertson (Oct 22)

(Thread continues...)