[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ipsec vs. firewalls

To: Jean Chouanard <chouanard@parc.xerox.com>
Subject: Re: ipsec vs. firewalls
From: Bill Sommerfeld <sommerfeld@orchard.arlington.ma.us>
Date: Sun, 10 May 1998 10:08:55 -0400
cc: Steve Bellovin <smb@research.att.com>, ipsec@tis.com
In-reply-to: Your message of "Sat, 9 May 1998 20:40:10 PDT ." <98May9.204046pdt."32634"@alpha.xerox.com>
Sender: owner-ipsec@ex.tis.com

> Also, you already are in trouble if your security policy allows outgoing
> connection for protocols which can be used to tunnel others
> protocols/application inside (And there is a *lot* of them). 

I think this is an unwinnable war.  I've heard of examples of tunnels
running over WWW, DNS, ICMP, etc., etc., etc.

If you let *any* non-trivial protocol through your firewall, it will
be possible for someone with sufficient cleverness to tunnel any other
protocol through it.

					- Bill

References:

Re: ipsec vs. firewalls

From: Jean Chouanard <chouanard@parc.xerox.com>

Prev by Date: Re: certificate key usage in IKE
Next by Date: Re: (IPng 5759) Re: [Karen Seo: Thomas Narten -- clarification, etc.]
Prev by thread: Re: ipsec vs. firewalls
Next by thread: question about tunnel mode
Index(es):
- Main
- Thread