[109238] in Cypherpunks
Re: Firedoors (fired Oors ?)
daemon@ATHENA.MIT.EDU (Bill Stewart)
Sun Mar 14 20:00:13 1999
Date: Sun, 14 Mar 1999 16:03:40 -0800
To: cypherpunks@cyberpass.net
From: Bill Stewart <bill.stewart@pobox.com>
Cc: lars@nocrew.org
In-Reply-To: <199903141454.PAA25875@mail.replay.com>
Reply-To: Bill Stewart <bill.stewart@pobox.com>
At 03:54 PM 3/14/99 +0100, Some ostensibly Anonymous person wrote:
>Finally, fireholes for the masses:
>http://www.nocrew.org/software/httptunnel.html (sources & info.)
> This is the beginning of an end to illiteracy-based security.
>Imagine all those billions spent on firewall ("security") consultants :-))
>It is just a matter of time before web operators start offering services based
>on http tunnelling. With a proper mimicry there is no way to filter this out.
The author is somewhat confused about why firewalls exist.
They're not (usually) to keep insiders in - that's a known hard problem,
though firewalls can sometimes be used to track what insiders send outside.
They're to keep outside crackers out, because the damage that can
be caused by crackers is serious enough that you can't afford not to,
even if the cost is making it hard for employees to work from home or the road.
Some places use censorware at firewalls to keep employees from accessing
politically incorrect sites, and httptunnel can help work around that,
though you can accomplish much the same by using an anonymizer that
the censorware doesn't know about.
It would occasionally be pleasant to initiate a tunnel from work
to my home machine (now happily running DSL), since I could use it
to connect much faster than the dialup I would otherwise use,
but that means that my nearly defenseless Win95 machine has suddenly
become another corporate firewall, which is about as dangerous as
having a non-managed dialin modem inside the firewall with the
phone number scribbled on 2600.com's wallpaper.
The alternative is to use a firewall with some sort of inbound tunnel.
By the way, while encrypted tunnels are an obviously Good Thing,
there's a lot that could be accomplished by using the IPSEC AH authentication,
and only allowing your tunnel server to accept packets which are
correctly authenticated.
Thanks!
Bill
Bill Stewart, bill.stewart@pobox.com
PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639
