regarding the "They started this thinking that this will make them unfilterable. I expect they will soon find out that they were wrong, and the race will really be on."
i disagree, since as long that there will be free access to internet nodes, i.e: unlike some cellular companies that provide WAP services do(they only allow you to surf their internal wap pages). you can find a way to access these resources, since inside the definition of "allow a b c" you allow side effects to infiltrate which is at the heart of the internet technology makeup. i will give you a small example, if you will block any kind of encapsulation inside http/s (i.e if you can really do that) i can use what is defined as fair usage to embed the information like in steganography, but not restricted to it. the only way to possibly try to restrict me is to use pattern recognition or AI that will profile my internet usage(there is one in the making right now, but it will be very crude and restricted to packet filtering). so what i am trying to say is that there is no way to restrict a person while working on the internet if he doesn't want to be restricted, short of arresting that man(i.e: if you can find him:) * - * - * Tzahi Fadida [EMAIL PROTECTED] Technion Email: [EMAIL PROTECTED] My Cool Site: HTTP://WWW.My2Nis.Com * - * - * - * - * - * - * - * - * - * WARNING TO SPAMMERS: see at http://members.lycos.co.uk/my2nis/spamwarning.html > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:linux-il-bounce@;cs.huji.ac.il]On Behalf Of Shachar Shemesh > Sent: Wednesday, October 30, 2002 6:22 PM > To: Aviram Jenik > Cc: 'Oron Peled'; 'Yedidyah Bar-David'; [EMAIL PROTECTED] > Subject: Re: upcoming java ssh2? > > > > > Aviram Jenik wrote: > > >The main idea behind a firewall is not to prevent rogue outgoing > >communication (this is usually pointless; you can do full IP > tunneling > >over ICMP packets if you wish) but to prevent incoming traffic to > >various services. For example, you may have an Intranet web > server that > >should only be accessible from inside the network, but > nobody from the > >outside should access it > > > A FW is a tool to enforce coorporate policy on people who may > or may not > wish to abide by it. It is not the only tool, and there are > other tools > designed to help with that aim. The most recommended, but hard to > maintain, is keeping only the services that need to run running > > >The fact that administrators (ab)use it to block various > services from > >internal users (and then those users find "clever" ways to > bypass these > >restrictions) is another topic altogether > > > It's a matter of users deciding not to abide by these > policies. Some of > the reasons for doing so are understandable (China example), some are > less (employees using corporate network to download Kaza > movies, or open > security holes in ICQ) > > >- but the ones that are > >overloading services on port 80 are not the corporates, but > rather than > >client-side utilities which want to bypass f/w restrictions > > > But that's another strange concept > > Lets look at it for a second: > Why do clients like ICQ use HTTP? Because they want to be > useable even > if the admins don't want their users to have it. I'll repeat > that - ICQ > wants to bypass the corporate policy! > > What do admins do about it? Well, whatever their FWs allow > them to do. > Slowly, FWs start to look at HTTP as a layer 5 protocol, over which > further inspection needs to be done. The race has begun. So far, the > clients are far ahead, but the distance is slowly being closed. Check > Point FW-1 NG FP3 (recently released) has an option of > blocking Kaza and > such > > Who's the loser? Admins and end users. The former because > they have to > keep upgrading, and because these checks are far more performance > intensive than packet matching and filtering. The former > because as the > inspections done become more and more intensive, performance > drops and > costs rise > > Who's winning? Well, the security companies obviously can't complain > (they can, and they do, but still). The client companies are > also in the > mix. They started this thinking that this will make them > unfilterable. I > expect they will soon find out that they were wrong, and the > race will > really be on. You will start seeing iterations of changing > clients, and > changing firewalls and proxies trying to catch up. All I can > really say > about that is "been there, done that, no winners" > > >Thanks, > >Aviram Jenik > >Beyond Security Ltd > >http://www.BeyondSecurity.com > >http://www.SecuriTeam.com > > > Theoretically, if people in corporates did not try to use > these tools to > bypass corporate policies, the need for layer 6 filtering > would not have > been big enough to justify security device companies diving into this > market, leaving the real important uses (Free surfing out of China) > without an answer. Sadly, people are too short sighted to > understand that > > Shachar > > > > ================================================================= > To unsubscribe, send mail to [EMAIL PROTECTED] with > the word "unsubscribe" in the message body, e.g., run the command > echo unsubscribe | mail [EMAIL PROTECTED] > > > > ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
