Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: RE: In defense of non standard ports

From: Chuck Swiger <chuck () codefab com>
Date: Tue, 24 Jan 2006 09:24:37 -0500
ArkanoiD wrote:

nuqneH,

Allowing uncotrolled HTTP CONNECT to any port seems quite suicidal for
any reasonable security policy, am i wrong?
Not at all. Makes a handy-dandy universal proxy which is being tunneled via SSL to hide the contents from easy inspection, and it's almost certain that the locals have decided that their proxy is allowed to do HTTPS through the firewall.
It's also quite possible that the locals have decided that the proxy should be allowed access to everything, assuming that only legitimate users would be on it. [1]
It was about seven or eight years ago that networks were getting pillaged en masse due to proxy-based end-runs around the local firewall, but that still happens today. 

--
-Chuck
[1]: Needless to say, this is *not* a safe or prudent assumption. You should not trust your proxy too much. Your proxy should not trust something claiming to be you too much, either: it should make you authenticate. Stuff you access from the proxy should also make you authenticate.
Your proxy should be on your DMZ subnet, it should not be on a network which is considered "trusted". 
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: