On Fri, 19 Nov 2004, Charles Duffy wrote: > On Fri, 19 Nov 2004 07:52:33 -0500, Michael Scheidell wrote: > > > An application inspection firewall like a CyberGuard would (I hope?) > > detect the non HTTPS type traffic on port 443 or none HTTP traffic on > > port 80 (Anyone with a CyberGuard care to comment?) > > Once an HTTPS connection is created, or a valid HTTP GET/POST request > sent, one can still put arbitrary data in as... well, data. Unless the > software detects and stops you from sending or receiving random-looking > data streams as files being retrieved by HTTP, someone willing to write a > little code can pretty easily tunnel their VPN through entirely valid > HTTP(S) traffic.
While OpenVPN can use TCP port 443 or tunnel over a proxy using the HTTP CONNECT method, it makes no effort to impersonate the HTTP or HTTPS protocols. So any proxy that sanity-checks the HTTP CONNECT clients to make sure they are talking real HTTPS would be able to block OpenVPN. Now of course, that doesn't mean that someone couldn't develop a stealth patch to talk true HTTP or HTTPS and transmit the tunnel payload using GET/POST. James _______________________________________________ Nessus mailing list [EMAIL PROTECTED] http://mail.nessus.org/mailman/listinfo/nessus
