Re: [FW-1] [fw-1] Instant Messenger bypass FW-1

[Don <don@FW1-NOSPAMBLACKSUN.ORG>]

> You sure are an ornery commenter Don.  My point here is that if you have any
> port open outbound, an application will be able to use that port to get
> out -- for instance 80/tcp.  The firewall will let it out because as far
> as it is concerned that is valid http traffic because it only checks the
> valid ip addresses and valid ports, nothing in the upper layers to
> verify that this is normal http (80/tcp) traffic and not
> as this person suggested, IM.
No argument here. I was just pointing out that if we followed best
practices, none of this would be a concern. Unfortunately, few of my
customers are interested in best practices.

> I agree that people **should** not use it, but the truth is that people do.
> The idea here is to make people aware that an application that uses a
> **valid** port as far as your policy is concerned will get through the
> firewall unless you use other measures to block them -- as mentioned by
> you myself and various others.
The only point I was trying to make is that firewall policy should be deny
all in both directions by default. Unfortunately this is rarely the case.
The vast majority of firewall policies are far more open than they need to
be for the sake of convenience.

As for being ornery, I have to apologize. This has been a really off week
for me. I shall endeavor to turn down the rhetoric :)

-Don

=================================================
To set vacation, Out Of Office, or away messages,
send an email to LISTSERV@lists.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner@ts.checkpoint.com
=================================================