On Wed, 22 Dec 1999, Dave Wreski wrote:
> Do you happen to know where there is any information on the net that
> explains why ICQ/RA is a risk? Something that I can present to
> management?
I don't know that there's anything specific anywhere (don't know that
there isn't either.) My preference is that every protocol to be passed
go through a protocol analysis, risk analysis and business analysis to
determine if it should be passed. The second question is always the
"Why can't you get off your butt and go to an externally connected
machine?" question (the first is generally a business case and if you're
feeling especially user-hostile, the case for stopping abuse for
non-business purposes- users can't write those very well at all ;).)
Upper management should clearly understand the risks of tunneling, the
fact that the entire firewall's protection model is based on *blocking*
traffic, the analogy that I use is the difference between trying to bail
water with a pot with a hole or two in it (HTTP and SMTP generally) and
trying to bail water with a strainer- your boat's gonna sink a heck of a
lot quicker in the latter case. Anyone who thinks that just because a
firewall "supports" a particular protocol that it's safe to pass it doesn't
understand the protection model.
> [...]
>
> > request changes to it. Be aware that requesting change doesn't always
> > mean it will happen, native RealAudio is something I'd *never* allow
> > to a business network I was responsible for without something in
>
> I understand fwtk can be used to proxy it. Is this not sufficient?
Not natively, the native stuff is UDP. There's a "reference" TCP proxy
available on Progressive's site. Last time I analyzed the code, I was
underwhelmed at the level of "proxy" going on (my recollection was that
it was check for a sting in the traffic stream), but it might be sufficient
for some people (obviously it is, since a lot of commercial firewall vendors
include it in their products). If anything, fwtk can be used to plug it,
but plug-gw *isn't* proxying and shouldn't be confused as anything but a
last-ditch worst-case attempt to bring a compromising protocol past the
border. Finally, the tunneled-over-HTTP version works through http-gw
from the toolkit.
Finally, without end-to-end QoS (if any of my Cisco account team reads
firewalls- Ob: "QoS sucks!"), figure out how many employees listening
to "Internet radio stations" or watching "Internet TV" over RealVideo it
takes to saturate the available Internet bandwidth (don't forget that
you're stuck with single in/out bound gateways in most cases, so you'll
end up with collisions and shouldn't use more than a 60% figure in those
cases if it's Ethernet.) So, if you have a T-3 or 2 of bandwidth, but
your firewall has 10Mb/s interfaces, you're stuck at around 6Mb/s maximum
available bandwidth in a switched environment. Put 150 radio stations on
there (without multicast it's bandwidth*lusers) then ask management where the
critical e-mail and Web stuff goes.
Or draw up a "routing by business-critical protocol" plan and see how
happy they'd be to fund a seperate Internet connection for RA/RV, then point
out that combining the traffic is a worse scenerio since it infringes on
mission-critical traffic without any ability to limit it.
Paul
(No I haven't forgotten, been kinda busy, you'll hear from me directly soon)
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
