Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > NFR Wizards> 1999-q3

NFR Wizards Archives: Re: Tunnelling

Re: Tunnelling

Peter Gutmann (pgut001cs.auckland.ac.nz)
Sat, 6 Nov 1999 04:48:00 (NZDT)

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: Rick Smith: "Re: "Proactive" Password Checking"
Previous message: Adam Shostack: "Re: Security urban legends"

[cc'd back into firewall-wizards from ukcrypto in case it's of interest]

Donald Ramsbottom <donaldramsbottom.co.uk> writes:

>Remember the tunnelling software I mentioned a few weeks back, well there is
>not a lot on it but firewall Guru PJ has a little more on it see below. He
>has mentioned if any one is having difficulty they can email him. His email
>is >is paul_jenningsvnet.ibm.com.
>
>I know its off topic but it is a security risk which has the potential to
>bypass conventional security, and is therefore legitimate.
>
>It appears from the last post that BT may be one of the culprits! Some of the
>posts have been repeated.

It's not just BT, quite a number of companies are quietly using this trick to
get data past firewalls because it's the only practical way to do it. The
reasoning which leads to its use is something like:

- Our product relies on being able to move (audio/video/EDI/database
  transactions/authorisation data/whatever) in and out of customer sites.
- Most of them are running firewalls which block anything other than mail,
  HTTP, and possibily very limited FTP.
- Doing it the way you're supposed to will require getting every user to
  reconfigure their firewalls and whatnot. Most of them don't even know what
  the firewall is apart from "that box with the blinky lights which someone
  set up for us last year".

-> We'll use HTTP to tunnel it through and it won't be a problem. Even as yet
undiscovered tribes in the jungles of Borneo can handle HTTP.

(Six months later when they've developed workarounds for all the broken and
incorrectly implemented Micros^H^H^H^H^Hproxies/firewalls floating around out
there which don't quite get HTTP right, things do actually work out this way.
The main problem is things cacheing data when they shouldn't).

Adding filtering to stop HTTP tunnelling is a good idea security-wise, but
it's going to break a lot of stuff which is using it because other
filtering is already preventing the use of traditional ways of getting data
through. Improving HTTP filtering will just lead to an arms race in which
the people who need to get data in and out will improve their tunnelling to
bypass HTTP filters.

Peter.

Next message: Rick Smith: "Re: "Proactive" Password Checking"
Previous message: Adam Shostack: "Re: Security urban legends"

This archive was generated by hypermail 2.0b3 on Fri Nov 05 1999 - 17:17:20 CST