My reading of slashdot (http://slashdot.org) has lead to the discovery of
what seems to be a ridiculous RFC. RFC 3093
(http://www.isi.edu/in-notes/rfc3093.txt) proposes a standard for tunneling
any TCP/IP application over HTTP.
Can anyone think of a good reason for this ? I'd like to see a bit of
comment in case I'm missing something here...
I thought that the whole idea behind ports was to be able to know what
traffic was passing through your network and to be able to stop it / control
it. eg if you don't want POP you block port 110, if you don't want telnet
you block port 23...
The RFC states that:
"Firewalls are built to protect from external threats, not internal ones.
Our proposed protocol does not break the security model of the Firewall; it
still protects against all external risks that a particular Firewall can
protect against. For our protocol to work someone inside the Firewall must
run an application level protocol that can access TCP port 80. Our concept
allows a consistent level of security while bypassing the IT manager in
charge of the Firewall. We offer freedom to innovate without additionally
compromising external security, and the best part, no need to waste time
involving any managers for approval."
I think that this statement is flawed, as how do threats pass from external
to internal (?) ... through the use of services eg ftp. This model doesn't
consider that the threat isn't always initiated from the outside, eg
firewalls can be used to restrict ftp access to trusted sites only, but if
this RFC gets adopted and implemented then suddenly internal users will be
able to download anything from anywhere using what ever protocols they
like."
This list has seen long discussions about the problems of controling instant
messaging software, just imagine the problem that would exist if this
'Firewall Enhancement Protocol' came into wide spread use !
Have I missed the point here, or are there limitless reasons why this
protocol is a bad idea ?
Cheers,
Alex Hague
Internet Support Officer
Auckland City Council
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
