W3C home > Mailing lists > Public > ietf-discuss@w3.org > August 2001

Re: Use ofHTTP to pass firewalls

From: Michael W. Condry <condry@intel.com>
Date: Thu, 09 Aug 2001 08:14:05 -0700
Message-Id: <5.1.0.14.2.20010809081329.01a808c0@FMSMSX63.intel.com>
To: Jacob Palme <jptest@dsv.su.se>, discuss@apps.ietf.org
Cc: "Kristine Andersen" <kristineandersen@hotmail.com>, "Christer Backman" <asphalt_world@hotmail.com>, Fredrik Björck <bjorck@dsv.su.se>, Mats Wiklund <matsw@dsv.su.se>, Sead Muftic <sead@dsv.su.se>, keith Moore <moore@cs.utk.edu>
See draft-moore-using-http-01.txt

At 03:33 AM 8/9/2001, Jacob Palme wrote:
>A protocol technique which is becoming more and more common is
>to tunnel other protocols over HTTP, or to use special variants
>or usages of HTTP, in order to pass firewalls. Since firewalls
>also often only allow connections to certain ports, this
>technique often means that port 80 is used for a number of
>different protocols.
>
>The HTTP server, in such a case, works as a kind of multiplexing
>agent, which distributes the incoming HTTP requests to different
>applications.
>
>I have some questions regarding this practice:
>
>(1) Am I correct in describing the practice above?
>
>(2) Does this practice lead to reduced or increased security,
>     compared to the alternative of using special port numbers
>     for each application and changing the firewalls when
>     necessary?
>
>(3) Is this a good practice? Should IETF do something to
>     favor or disfavor this practive?
>
>My feeling is that it is against the whole idea of port numbers to
>multiplex lots of different applications to a single port 80, just in
>order to cheat firewalls. And that security will be reduced by this
>practice, since dangerous things may be able to pass the firewall by
>using HTTP and port 80 and then forwarding the result to an insecure
>program.
>
>On the other hand, the HTTP server on port 80, which handles such
>requests, may be more secure against various security holes, such
>as the well-known buffer overflow, than particular servers for
>particular port numbers. But of course the data which the HTTP
>server forwards to the application program may cause buffer over-
>flow in the application program, even if this data arrived indi-
>rectly via the HTTP server on port 80?
>--
>Jacob Palme <jpalme@dsv.su.se> (Stockholm University and KTH)
>for more info see URL: http://www.dsv.su.se/jpalme/

Michael W. Condry
Director,  Network Edge Technology
Received on Thursday, 9 August 2001 11:15:51 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 23 March 2006 20:11:28 GMT