Search This Blog

Saturday, September 08, 2007

firewall-wizards Digest, Vol 17, Issue 6

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: Do you permit X11 via proxy firewall? (jason@tacorp.com)


----------------------------------------------------------------------

Message: 1
Date: Thu, 6 Sep 2007 16:49:55 -0400 (EDT)
From: jason@tacorp.com
Subject: Re: [fw-wiz] Do you permit X11 via proxy firewall?
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <20070906164522.X18613@phoenix.cnwr.com>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed

>
> why is tunneling X through firewalls noticeably safer then just doing packet
> filtering to allow it through?
>
> if the only answer is becouse it prevents someone from intercepting and
> tinkering with the TCP datastream then it's only relavent in some situations and
> you are saying that in others it's perfectly safe to just do packet filtering.

Perhaps, it's not about safety but rather manageability. It's a lot
easier to manage that traffic if it's done as part of a single application
rather than as a whole protocol suite and multiple ports.

If I recall correctly, X11 is one of those protocols that tries to
negotiate ports rather than just using a fixed few. This may be a bit of a
hassle which may cause errors or having ports open that don't need to be.

I know it's lame to use the 'it's easier this way' excuse rather than just
doing it right, but there is defiantly some benefit to having something
that's easy to manage over something that's not.

Jason

>
> remember, just becouse everyone is doing it, it may not be safe.
>
> remember almost everyone thinks that firewalls are just packet filters and have
> no business actually looking at the packets that they let through.
>
> David Lang
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
>


------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 17, Issue 6
***********************************************

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)