- From: Matthew Squire <Matthew_Squire@BayNetworks.COM>
- Date: Sat, 25 Jul 1998 08:17:11 -0400
- To: jg@pa.dec.com (Jim Gettys)
- Cc: www-http-ng-comments@w3.org
I must have trouble typing in the morning, the following paragraph was accidentally deleted from my previous post: " Protocol discrimination/filtering is also heavily used within a campus. It gives a modicum of security and prevents accidental "leakage" of protcols between LANs. Mux'ing, which is basically a tunnelling protocol to the desktop, makes reliable protocol discrimination impossible in a switch/router, and seems to open up security problems within the campus as well. " >Date: Sat, 25 Jul 1998 07:42:16 -0400 >To: jg@pa.dec.com (Jim Gettys) >From: Matt Squire <msquire@baynetworks.com> >Subject: Re: SMUX comments >Cc: www-http-ng-comments@w3.org > > >As my last comment on the subject... > >I understand how firewalls and application proxies work, and I too have helped implement firewall schemes for multiple companies, beyond simple protocol filtering. I'm not claiming mux'ing is evil, only that it represents a *significant* paradigm shift for protocol identification, and hence protocol filtering, which has been and continues to be used by many folks as their first (and sometimes only) security measure. Not every company is running some server(s) as an application firewall(s) for every protocol. > >Does mux'ing make things worse? Probably not, especially not to a true attack. But it seems to open up more problems with "stupidity" attacks, things like config errors or innocent misuse. > >Mux'ing does CHANGE things, and hence it can invalidate existing measures. Some users might object to having a basic operating premise changed. > >- Matt > >
Received on Saturday, 25 July 1998 08:14:04 UTC