Harald, > That's my understanding. We don't have a single port for SSL, > instead running "blah-over-SSL"; BEEP is the same.
Sure - but we know to expect HTTP traffic at port 80 and HTTPS at 443. So if we don't like HTTPs, we simply block 443 at the firewall. End of the story. > > > > HTTP opens a security hole in a firewall, even with a proxy > > > server. I have successfully run IP tunnels over HTTP through > > > a proxy using off-the-shelf software. This is a red herring, IMO. > > > > This is exactly my concern! And I don't see it is addressed in the > > syslog RFC series... > > I'm not aware of any IETF protocols that address this > problem, which is my (subtle :-) point. I'm of the opinion > that defending against these attacks is beyond the scope of > the individual IETF working groups (and is, in some cases, > impossible :-). Sure - but the fact is that there is the IP standard (I guess you know which I mean, I don't have the RFC at hand ;)) and itself is a multiplexing protocol using port numbers to multiplex the different "channels" on the wire. Current firewall technology provides adequate measure for this. Most of the other IETF protocols are not multiplexing protocols, so they don't add any concerns above what IP already does. As we specifically deal with security issues, I think we should at least provide some awareness to the fact that we have a protocol that allows for such doing. Sure, I would always opt to have a dedicated machine running a prooven and trusted version of an BEEP-based syslog, but it might be a good idea to provide some additional reasoning for this to the end user. Also, keep in mind that there are three levels of acceptance - in the standards comittee - at the implementors - at the end user level A protocol prooves to be successful only if implementors implement it AND end users deploy there products. And there are definitely concerns about muliplexing protocols in the end user level (and I think it is good so). Maybe I am overly concerned with that - but look how even smallest spots are exploited. And tunneling over http is a good sample of what should not happen to a protocol (how does Microsoft say: ".NET is firewall friendly"...). Rainer
