This message uses a character set that is not supported by the Internet
Service. To view the original message content, open the attached message.
If the text doesn't display correctly, save the attachment to disk, and then
open it using a viewer that can display the original character set.
<<message.txt>>
Received: from dlang.diginsite.com ([10.200.255.252]) by viper.digitalinsight.com with
SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21)
id Y64Z9YB5; Wed, 20 Dec 2000 09:03:16 -0800
Date: Wed, 20 Dec 2000 08:54:32 -0800 (PST)
From: David Lang <[EMAIL PROTECTED]>
To: =?iso-8859-1?Q?J=FCrgen_Nieveler?= <[EMAIL PROTECTED]>
cc: 'Frederick M Avolio' <[EMAIL PROTECTED]>, Jamy Klein <[EMAIL PROTECTED]>,
"'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
Subject: RE: your mail: Desktop FW LEAKing
In-Reply-To: <[EMAIL PROTECTED]>
Message-ID: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=X-UNKNOWN
Content-Transfer-Encoding: QUOTED-PRINTABLE
while no application proxy firewall can prevent you from tunneling one
protocol through another (after all if it's valid data it's valid data) it
can force the attacker to jump through extra hoops to do the tunneling.
for port 443 it is possible for a proxy to insist that the browser issue
the HTTP connect message to the proxy and then follow it up with SSL
negotiation, this will prevent the port from being used by the beginners,
but not by the experts (Raptor 6.5 is supposed to do this, I haven't
double checked personally)
David Lang
On Wed, 20 Dec 2000, [iso-8859-1] J=FCrgen Nieveler wrote:
> Date: Wed, 20 Dec 2000 08:37:48 +0100
> From: "[iso-8859-1] J=FCrgen Nieveler" <[EMAIL PROTECTED]>
> To: 'Frederick M Avolio' <[EMAIL PROTECTED]>, Jamy Klein <[EMAIL PROTECTED]=
du>,
> "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
> Subject: RE: your mail: Desktop FW LEAKing
>
> > >their is no effective way to block apps going out a
> > corporate firewall.
> >
> > [Addendum... sorry, I missed the obvious response...]
> >
> > Unless it was an application gateway firewall, right?
> >
>
> You'd have toblock port 443. There is no way to proxy SSL-encrypted
> connections, therefore most proxies simply tunnel it.
> There are also programms that tunnel via port 80 with simulated HTML. Tho=
se
> will also pass an application-level gateway quite happily.
>
> Mit freundlichen Gr=FC=DFen / Yours sincerely
>
> Juergen Nieveler
> arxes Software Factory AG
> UB eCommerce
> Tel.: +49/241/16008-327
> Fax: +49/241/16008-354
> Email: [EMAIL PROTECTED]
> Web: www.arxes.de
> PGP:
> 2AAB A988 0B80 D53F FC53 3BED 8CC0 2092 922D 8378 (DH)
> 5ADF A15E 91E4 98DB 2391 0D29 8B08 A884 (RSA)
> Disclaimer: Views are mine, not my employers=B4
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
