Thanks folks, I appreciate the responses. I don't actually expect that they
will
attempt anything more than browsing the port 80-based Napster proxies, which
would then be double proxied since I proxy all port 80 web browsing traffic at
my local proxy. I believe that this will allow them to download which is what
they want, without making it easy (I'd really like to use possible instead of
easy, but won't) for them to share files.
It had occurred to me that if I really wanted to build a file transfer
application that someone wouldn't want me to run (and had no morals about making
it run anyway) I might try to institute a java script based query/response
algorithm which would allow my application to "poll" for file requests via page
refresh/requests- and then open a channel via an http: port 80 request to the
machine requesting the file or to the proxy machine, and then post the file
contents as form data. Since this seems plausible to me (although probably
slow), and since I don't really know the nitty gritty on mechanism utilized for
the Napster proxies, I've been sweating since this occurred to me.
The last thing I want to do is have to say "Doh! Golly, I didn't even think of
that and thought that was impossible!" Only to find out the hard way I'm
wrong... And I simply haven't the time or resources to dedicate to trying to
maintaining a comprehensive white list for web browsing - and the lost
productivity cost to my users would probably prevent such a scenario any way.
I wish, how I wish, there was a practical way to prevent the execution of any
application I didn't want to run on a Wintel machine - at a reasonable price in
manhours, hassle, and lost productivity.
Guy Skaggs
Director of Technology
Martingale Asset Management
(Original)
-----------------------------------------------------------------------
Subject:
RE: Napster Proxies -vs- NAT & PORT blocking - Am I Secure??
Date:
Thu, 30 Nov 2000 23:20:55 -0500
From:
Richard Golodner <[EMAIL PROTECTED]>
To:
'elvene ' <[EMAIL PROTECTED]>
The only possible problem I could forsee would lie with multi-homed
machines. As long as you controll all users through that one proxy, and all
unecessary outbound traffic is blocked at he NAT. You should be cool. I am
curious to seewhat your user's will attempt.
Sincerely, Richard Golodner
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
