Re: Use ofHTTP to pass firewalls

See draft-moore-using-http-01.txt

At 03:33 AM 8/9/2001, Jacob Palme wrote:
>A protocol technique which is becoming more and more common is
>to tunnel other protocols over HTTP, or to use special variants
>or usages of HTTP, in order to pass firewalls. Since firewalls
>also often only allow connections to certain ports, this
>technique often means that port 80 is used for a number of
>different protocols.
>
>The HTTP server, in such a case, works as a kind of multiplexing
>agent, which distributes the incoming HTTP requests to different
>applications.
>
>I have some questions regarding this practice:
>
>(1) Am I correct in describing the practice above?
>
>(2) Does this practice lead to reduced or increased security,
>     compared to the alternative of using special port numbers
>     for each application and changing the firewalls when
>     necessary?
>
>(3) Is this a good practice? Should IETF do something to
>     favor or disfavor this practive?
>
>My feeling is that it is against the whole idea of port numbers to
>multiplex lots of different applications to a single port 80, just in
>order to cheat firewalls. And that security will be reduced by this
>practice, since dangerous things may be able to pass the firewall by
>using HTTP and port 80 and then forwarding the result to an insecure
>program.
>
>On the other hand, the HTTP server on port 80, which handles such
>requests, may be more secure against various security holes, such
>as the well-known buffer overflow, than particular servers for
>particular port numbers. But of course the data which the HTTP
>server forwards to the application program may cause buffer over-
>flow in the application program, even if this data arrived indi-
>rectly via the HTTP server on port 80?
>--
>Jacob Palme <jpalme@dsv.su.se> (Stockholm University and KTH)
>for more info see URL: http://www.dsv.su.se/jpalme/

Michael W. Condry
Director,  Network Edge Technology

Received on Thursday, 9 August 2001 11:15:51 UTC