Dariush Pietrzak wrote:
On Mon, Sep 22, 2003 at 10:18:20PM +0200, Bernd Eckenfels wrote:
FTP is a firewal nightmare,
You think?
Not only he thinks that way. It's an accepted fact within the InfoSec
community.
Firewalls are nightmare, and the only result of prefering
http-only protocols is what you'll see in nearest future:
Every single new protocol is http and work via 80/443 port.
How's that for a firewall nightmare?
It is one, yes, but it's not the firewalls' fault. The problem is that
some developers and users don't understand security and see firewalls as
not much more than pesky contraptions that get in the way of everything.
They consider their own applications as secure.
Now you've got www traffic, file transfer, instant messaging, REMOTE
PROCEDURE CALLS (soap/xml-rpc for example), all going through your precious
firewall.
Using proper ALGs, you should be able to filter quite a bit of that
stuff out currently, e.g. by placing strict constraints on the CONNECT
method. If people start mimicking web pages, it's going to get more
difficult. However, tunnelling is nothing really new. You can discover
some of it using traffic analysis and investigating anomalous traffic
patterns, such as HTTP with significant upstream traffic (HTTP should
normally be very asymmetric).
it is unsecure (plaintext),
since when? It's only plaintext if you want it.
You can choose/negotiate 'authentication, confidentiality and message
integrity'.
You can even change securelevels in runtime - encrypt only authentication
( cool for transferring non-sensitive bulk data like movies/allready
encrypted backups ), encrypt selected files, etc etc.. Check:
RFC 959 (FTP)
RFC 2246 (TLS)
RFC 1579 (Firewall-friendly data exchange)
RFC 2228 (FTP security extensions)
( ftp://ftp.rfc-editor.org/in-notes/rfc2228.txt )
That RFC is from 1997...
Those options are hardly ever used on the Internet. 99 out of 100 people
who say FTP mean RFC959 only.
Cheers,
Tobias
