> -----Original Message-----
> From: Big Geek [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, 13 March 2001 12:42
> To: list firewall
> Subject: Persistent Connection
>
>
> I am arguing against a request to allow a connection from
> within the Internal network to the Outside because it needs
> to be a persistent connection.
Fair enough. Persistent connections are dodgy.
> I can lock it down by source
> and destination and it will be put through a plug proxy.
OK. That's half of the possible exploits taken care of. (TCP tricks etc)
> The
> connection stream is 3DES encrypted.
And assuming that the stream also includes some sort of cryptographic
authentication method as well as encryption (which most standard protocols
will - "roll your own" ones may not) that takes care of most of the active
hijacking concerns.
> Which are all good
> things but I am uneasy about a persistent connection. My
> stand has been that it is much higher risk to leave a
> connection open than to allow an intermittent connection.
I don't see it. The remaining risks that _I_ can see are an DOS attack where
someone spoofs the external IP address and sends /dev/random, which may
result in your host spending lots of time trying to "decrypt" the packets.
Other than that you're left with layer 7 vulnerabilities on your internal
host.
I'm not sure I can quantify how much "extra" risk it is to leave a
connection active all the time rather than just off and on. If the
connection will only ever be active when there is someone actively
monitoring that host then there may be a response time benefit, I guess...
> My
> argument is weak in facts.
Sure is. 8)
> Can the group either direct me to a good source or provide
> information on why I should continue the fight.
IMHO, if this persistent connection is a business need, I don't see a reason
to fight about it. With the information you've presented, I'd classify the
risk as "miniscule", and you're arguing for a boost to "infinitesimal".
I'm sure you have bigger risks than this.
Cheers,
--
Ben Nagy
Network Security Specialist
Marconi Services Australia Pty Ltd
Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
