The question is... is there any way to protect against this? I mean, how would you differenciate on for example, a squid, the traffic of one of this tunnels from the real traffic you want to allow?
There is a way to protect any particular form of tunnelling (i.e., if you know that a particular tunnel is there, you'll find a way to disrupt it).
But there is no practical way to prevent covert communications of an inside user to the outside world, if any reasonable connectivity, through whatever firewall or whatever, exists. You can minimize the risk by monitoring everyone's activity 24hours, but even then you don't have 100% guarantee.
And if you close the network, the person can smuggle diskettes in and out, creating a high-latency link. Or use the state of his office lighting (on or off) at every 17th minutes to signify whether the next bit of the message is 0 or 1. Not too good to transmit a picture, but enough to eventually relay a secret encryption key to someone out there watching. You've got the idea...
Reminds me of a rumor I heard that someone was working on an NFS over SMTP gateway. Would have pretty crappy latency, but the point was to prove that a firewall is not a guarrantee of security.
Also worth considering in your examples is RFC2549 (IP over Avian Carriers with QoS).
--Rich
_________________________________________________________
Rich Puhek ETN Systems Inc. 2125 1st Ave East Hibbing MN 55746
tel: 218.262.1130 email: [EMAIL PROTECTED] _________________________________________________________
-- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
