W3C home > Mailing lists > Public > ietf-discuss@w3.org > August 2001

Use ofHTTP to pass firewalls

From: Jacob Palme <jptest@dsv.su.se>
Date: Thu, 9 Aug 2001 12:33:25 +0200
Message-Id: <p05100301b7981462f7ba@[130.237.150.141]>
To: discuss@apps.ietf.org
Cc: "Kristine Andersen" <kristineandersen@hotmail.com>, "Christer Backman" <asphalt_world@hotmail.com>, Fredrik Björck <bjorck@dsv.su.se>, Mats Wiklund <matsw@dsv.su.se>, Sead Muftic <sead@dsv.su.se>
A protocol technique which is becoming more and more common is
to tunnel other protocols over HTTP, or to use special variants
or usages of HTTP, in order to pass firewalls. Since firewalls
also often only allow connections to certain ports, this
technique often means that port 80 is used for a number of
different protocols.

The HTTP server, in such a case, works as a kind of multiplexing
agent, which distributes the incoming HTTP requests to different
applications.

I have some questions regarding this practice:

(1) Am I correct in describing the practice above?

(2) Does this practice lead to reduced or increased security,
     compared to the alternative of using special port numbers
     for each application and changing the firewalls when
     necessary?

(3) Is this a good practice? Should IETF do something to
     favor or disfavor this practive?

My feeling is that it is against the whole idea of port numbers to
multiplex lots of different applications to a single port 80, just in
order to cheat firewalls. And that security will be reduced by this
practice, since dangerous things may be able to pass the firewall by
using HTTP and port 80 and then forwarding the result to an insecure
program.

On the other hand, the HTTP server on port 80, which handles such
requests, may be more secure against various security holes, such
as the well-known buffer overflow, than particular servers for
particular port numbers. But of course the data which the HTTP
server forwards to the application program may cause buffer over-
flow in the application program, even if this data arrived indi-
rectly via the HTTP server on port 80?
-- 
Jacob Palme <jpalme@dsv.su.se> (Stockholm University and KTH)
for more info see URL: http://www.dsv.su.se/jpalme/
Received on Thursday, 9 August 2001 09:42:23 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 9 December 2014 23:04:05 UTC