Re: Routing protocols thru firewall

Wed, 3 Feb 1999 22:43:03 -0500 

On Wed, 3 Feb 1999, Dave Wreski wrote:

> Hi all.  I have a question about allowing routing protocols to go thru the
> firewall.  Specifically, someone asked me about GRE, the Generic Routing
> Encapsulation protocol.  Apparently this is used to encapsulate one
> protocol into another.

Yep, most often MS PTTP and Appletalk.

> 
> To me, this could lead to allowing data types thru the firewall where we
> wouldn't normally allow.

Definitely.

> Also, it has been stated that unless we allow this GRE thru the firewall,
> we would have to allow only one port thru the firewall.  Otherwise, a
> whole number of ports would have to be opened.

For what?  It really doesn't make sense to allow *anything* through a 
firewall without an understanding of (a) What it is you're letting 
through (so you can do a risk/reward analysis) and (b) Why it is 
necessary to allow it through (so you can do a risk/reward analysis).  

All protocols are evil.  All protocols can be used to tunnel other 
protocols, some are just better-designed for that purpose.  SSL and GRE 
happen to be my favorite candidates for my "No!" of the day awards.  
There's no such thing as a "safe" or "good" protocol, all of them entail 
risk and how well you can trend, analyze and limit their scope is a part 
of the analysis of running a firewall.  Someone telling you you *have* to 
allow something in had better have a good reason why - and be able to 
have good reasons why other methods (mirror hosts externally, batch 
transfers, using already allowed protocols, connections to service 
networks...) would be too cost-prohibitive to do.  Otherwise you're 
running a firesieve, not a firewall and you're limiting your protection 
to a small subset of what it probably should be. 

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
[EMAIL PROTECTED]      which may have no basis whatsoever in fact."
                                                                     PSB#9280

-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]

Reply via email to