Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] [fw-1] Instant Messenger bypass FW-1

To: [email protected]
Subject: Re: [FW-1] [fw-1] Instant Messenger bypass FW-1
From: Russell Washington <[email protected]>
Date: Thu, 13 Jun 2002 16:11:22 -0700
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

No disagreement here.  The point that I was trying to make to Dimitri was
that at a service level I don't think there's a way to tackle this.  If you
get into proxying or some of the arguably non-firewall firewall add-ons,
etc., ayup, there are some answers.  But I think Dimitri proposed using a
custom service in the security policy, which I don't think is going to work
due to a still-inherent port dependency (unless there's something I'm
missing, and I may well be).

-----Original Message-----
From: Don [mailto:[email protected]]
Sent: Thursday, June 13, 2002 3:05 PM
To: [email protected]
Subject: Re: [FW-1] [fw-1] Instant Messenger bypass FW-1


> So we're talking about utlizing proxy functionality, not (in reference
> to the post from Dimitri that actually prompted the reply you're
> quoting me
> from) firewall functionality, as I think *he* was describing.
>
> Right?
I wasn't talking about any functionality in particular. Just saying that IM
clients can't do anything if we block their access to the rest of the
Internet.

> > Telnet, DNS, yadda yadda. While your point about denying everything
> > unless "absoluely needed" is well taken, the point is that AIM will
> > piggyback on one of those "absolutely needed" ports and at that
> > point your only option is to blackhole the login servers.
This is the comment I was addressing specifically. If you don't allow
workstations to do DNS lookups, or direct SMTP, then there will be no holes
for clients like AIM to exploit.

-Don

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Prev by Date: Re: [FW-1] Article - Multihoming for small to medium sized businesses
Next by Date: Re: [FW-1] Article - Multihoming for small to medium sized businesses
Previous by thread: Re: [FW-1] [fw-1] Instant Messenger bypass FW-1
Next by thread: Re: [FW-1] [fw-1] Instant Messenger bypass FW-1
Index(es):
- Date
- Thread