On Thu, 20 Apr 2000 [EMAIL PROTECTED] wrote:
> IP over e-mail has been implemented. Do you allow e-mail? Then I can tunnel
> connections. You can _never_ stop covert channels - there are too damn many
> ways to get information out. You can try to eliminate tham, and make your
FWIW, I don't think tunneling matches the traditional definition of a
covert channel, since simply tunnel uses what is already an information
channel to carry information other than that which is expected.
A real covert channel would be something like the timing between packets,
where the channel is not tradtionally an information carrier.
> users do more and more bizarre things. Or you can figure out what they need
> to get done, and come up with an acceptable means of so doing.
You can also enforce policy and nuke the ones who go outside of acceptable
behaviour.
Most tunnels can be detected through trending and anylysis, especially
SMTP tunnels, but a lot of time HTTP ones as well. The problem with HTTP
is that there are now *allowed* tunnels.
SSL is as much a risk as SSH.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
