W3C home > Mailing lists > Public > www-http-ng-comments@w3.org > July to September 1998

Re: SMUX comments

From: Matthew Squire <Matthew_Squire@BayNetworks.COM>
Date: Sat, 25 Jul 1998 08:17:11 -0400
Message-Id: <3.0.32.19980725081710.006ce3e8@bl-mail1.corpeast.baynetworks.com>
To: jg@pa.dec.com (Jim Gettys)
Cc: www-http-ng-comments@w3.org

I must have trouble typing in the morning, the following paragraph was
accidentally deleted from my previous post:
"
Protocol discrimination/filtering is also heavily used within a campus.
It gives a modicum of security and prevents accidental "leakage" of
protcols between LANs.  Mux'ing, which is basically a tunnelling protocol
to the desktop, makes reliable protocol discrimination impossible in a
switch/router, and seems to open up security problems within the campus as
well.  
"


>Date: Sat, 25 Jul 1998 07:42:16 -0400
>To: jg@pa.dec.com (Jim Gettys)
>From: Matt Squire <msquire@baynetworks.com>
>Subject: Re: SMUX comments
>Cc: www-http-ng-comments@w3.org
>
>
>As my last comment on the subject...
>
>I understand how firewalls and application proxies work, and I too have
helped implement firewall schemes for multiple companies, beyond simple
protocol filtering.  I'm not claiming mux'ing is evil, only that it
represents a *significant* paradigm shift for protocol identification, and
hence protocol filtering, which has been and continues to be used by many
folks as their first (and sometimes only) security measure.  Not every
company is running some server(s) as an application firewall(s) for every
protocol.  
>
>Does mux'ing make things worse?  Probably not, especially not to a true
attack.  But it seems to open up more problems with "stupidity" attacks,
things like config errors or innocent misuse.  
>
>Mux'ing does CHANGE things, and hence it can invalidate existing measures.
  Some users might object to having a basic operating premise changed.  
>
>- Matt
>
>
Received on Saturday, 25 July 1998 08:14:04 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 13:07:28 EDT