At 07:42 AM 5/29/99 -0400, Paul D. Robertson wrote:
>On Sat, 29 May 1999, Marcus J. Ranum wrote:
>
>> >just lost the high level of security. Whoever wrote the original plug-gw
>> >started a downward trend in security that's rapidly becomming the
>> >default.
>>
>> I take the blame for that, too. :)
>
>I suspected as much :)
>
>Plugboards are a good flexability tool, the problem is that's the
>antithesis of a good security tool. It's been a pretty fair number of
>years since I installed my first plugboard - I'm *still* going through
>the "It isn't a proxy and I won't add one for <xyzzy>" argument every few
>months.
>
>> Proxy #0 was sendmail (!) :) -- it was the sendmail configuration
>> on a box named "decuac.dec.com" that kind of triggered the
>> whole proxy idea... It was all Fred Avolio's fault.
>
>It's only right that Fred should be blamed for something ;)
>
>> Plugboard security didn't really become the rage until Checkpoint
>> came out, a couple of years later, though arguably Cisco routers
>> had it all along. ;)
At the risk of losing the interest of everyone except Paul, Marcus, and me
(and even *that* may be a stretch! :-)) I want to make a case for plugs.
Plugs are in the same category as circuit gateways, right? Circuits with
well-configured routers is what they were doing at Bell Labs, and what
others started to do when SOCKS came out, and what many still do today. The
problem is, originally circuit gateways were thought of purely as an inside
to outside mechanism to 1) allow no direct connection to the inside and 2)
add logging and strong authentication if desired.
We would still agree, wouldn't we (for some value of "we") that there are
some safe Internet services where examining the data is fruitless? Sure,
you can hide a 2nd communications stream in RealAudio, as you can in a GIF,
but that's more than we're usually trying (or certainly able) to worry
about. (I'm not arguing for the safety of RealAudio as much as pointing out
an example of data that is difficult to analyse with a program).
I would say, and perhaps you (Marcus and Paul) would agree, that there are
services that might be allowable for which an application level examination
is useless -- IE, there is nothing we can do with the data except count it.
In those cases it might be useful to require strong authentication, or
exert control over opened and closed ports. But, plug-gw and all of it's
brethren (generic udp proxies!?) are consistently misused to the point
where people are practically propping the door open, allowing all sorts of
unsavory services through.
Fred
Avolio Consulting
16228 Frederick Road, PO Box 609, Lisbon, MD 21765
410-309-6910 (voice) 410-309-6911 (fax)
http://www.avolio.com/
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
