On Sat, 29 May 1999, Frederick M Avolio wrote:
[snip]
> At the risk of losing the interest of everyone except Paul, Marcus, and me
> (and even *that* may be a stretch! :-)) I want to make a case for plugs.
> Plugs are in the same category as circuit gateways, right? Circuits with
> well-configured routers is what they were doing at Bell Labs, and what
> others started to do when SOCKS came out, and what many still do today. The
Yep, SOCKS was definitely in the category. I haven't looked at it since
v2 though.
> problem is, originally circuit gateways were thought of purely as an inside
> to outside mechanism to 1) allow no direct connection to the inside and 2)
> add logging and strong authentication if desired.
Defintely. NNTP is a prime example of something that plugboards are
good at - one-way TCP communication from an administered server. The
problem is that plug-gw was almost immediately abused (and I'm an
offender as well) to allow client connections to various and sundry
places because there wasn't time or leverage to do a real proxy. Things
went downhill from there.
>
> We would still agree, wouldn't we (for some value of "we") that there are
> some safe Internet services where examining the data is fruitless? Sure,
> you can hide a 2nd communications stream in RealAudio, as you can in a GIF,
> but that's more than we're usually trying (or certainly able) to worry
> about. (I'm not arguing for the safety of RealAudio as much as pointing out
> an example of data that is difficult to analyse with a program).
I'm not sure that I'd go as far as to call them "safe Internet
services." Tunneling is still a major flaw in most to-the-desktop
protocols. I much prefer the Pointcast model to the RealAudio model from
a security perspective (caveat: My employer has an equity stake in
Pointcast) because it can be to a server I admin from a server I know
about. There are still tunneling possibilities, but they're much more
difficult to realize.
> I would say, and perhaps you (Marcus and Paul) would agree, that there are
> services that might be allowable for which an application level examination
> is useless -- IE, there is nothing we can do with the data except count it.
> In those cases it might be useful to require strong authentication, or
> exert control over opened and closed ports. But, plug-gw and all of it's
This is definitely something I agree with.
> brethren (generic udp proxies!?) are consistently misused to the point
> where people are practically propping the door open, allowing all sorts of
> unsavory services through.
That's a good synopsis of the point I was trying to make. I also think
it's important to look back and see *why* things like plug-gw, the original
FW-1 code, etc. (all things that have at one point or another sent
shivers down the backs of conservative network security folks) were so
widely adopted, and what - if anything - can be done about things like
this moving forward. People have recently come to the point where
they're willing to purchase core software in a semi-functional state, and
wait for the vendor to rev it up to snuff. That includes OS' and
seemingly firewall software. Now it's extending into network protocols.
I would *really* rather not get to the point where we've stuck like the
anti-virus situation is in a downward spiral with no sign of an end.
Computer viruses are a solvable problem. There's a multi-billion dollar
industry more interested in continuing to sell anti-virus products than
solutions and we've ultimately lost that war. Even very large corporations
can't seem to get Microsoft to fix the macro virus problem - the #1 virus
problem at the moment and almost trivially repairable. I still think we're
half-a-step ahead of having to go that route, but the time to make the
changes is pretty short.
The parallels are numerous, and we're increasingly facing active content
issues with new protocols and services. As much as I'd love to lament
about the good old days of gopher and whine about SHTTP vs HTTPS, I'm
still enough of an idealist to think there's some saving still left to do.
Given the number of times parachute.mpg has shown up in my e-mail system
recently I'm not totally convinced it's all worth trying to do though...
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
