Vassilii Khachaturov wrote:
The question is... is there any way to protect against this? I mean, how
would you differenciate on for example, a squid, the traffic of one of this
tunnels from the real traffic you want to allow?
There is a way to protect any particular form of tunnelling (i.e., if you
know that a particular tunnel is there, you'll find a way to disrupt it).
But there is no practical way to prevent covert communications of an inside
user to the outside world, if any reasonable connectivity, through whatever
firewall or whatever, exists. You can minimize the risk by monitoring
everyone's activity 24hours, but even then you don't have 100% guarantee.
And if you close the network, the person can smuggle diskettes in and out,
creating a high-latency link. Or use the state of his office lighting (on or
off)
at every 17th minutes to signify whether the next bit of the message is 0 or 1.
Not too good to transmit a picture, but enough to eventually relay a secret
encryption key to someone out there watching. You've got the idea...
Reminds me of a rumor I heard that someone was working on an NFS over
SMTP gateway. Would have pretty crappy latency, but the point was to
prove that a firewall is not a guarrantee of security.
Also worth considering in your examples is RFC2549 (IP over Avian
Carriers with QoS).
--Rich
_________________________________________________________
Rich Puhek
ETN Systems Inc.
2125 1st Ave East
Hibbing MN 55746
tel: 218.262.1130
email: [EMAIL PROTECTED]
_________________________________________________________