Re: Use ofHTTP to pass firewalls from Fredrik Björck on 2001-08-09 (ietf-discuss@w3.org from August 2001)

From: Fredrik Björck <bjorck@dsv.su.se>
Date: Thu, 9 Aug 2001 20:04:02 +0000 (GMT)
To: Jacob Palme <jptest@dsv.su.se>
cc: "Michael W. Condry" <condry@intel.com>, <discuss@apps.ietf.org>, Kristine Andersen <kristineandersen@hotmail.com>, Christer Backman <asphalt_world@hotmail.com>, Mats Wiklund <matsw@dsv.su.se>, Sead Muftic <sead@dsv.su.se>, keith Moore <moore@cs.utk.edu>
Message-ID: <Pine.SUN.4.30.0108091950160.17992-100000@luna.dsv.su.se>

RE: In addition: IDSs and Intranet servers.

Interesting discussion. And to add to the insecurity many "high-security"
organizations are using intrusion detection systems (IDS) without any
pattern matching on port 80 - they're just set the IDS to allow almost
anything to happen through port 80 - no alarm will ever ring. To add further
to that - all the ill-constructed intranet servers with global read as
default for all databases...makes the world less secure. Just as examples:
1) Lotus Notes Domino Web Server (many versions) with global read for all
new created databases and even write in some cases (yes, via a browser) to
setup and
configuration areas.(setup.nsf and domcfg.nsf). 2) Centrinity First Class
Intranet Server with global read to lists of all conferences and users.
And global write to all intranet conferences via other routes (such as
writing an email over port25 to the conference.name@server). The list goes
on and on... It just surprises me that very few organizations seem to
acknowledge the problem. Maybe now in these times of slow economic growth,
there's more time to think it over.

/Fredrik Bjorck (Stockholm University / KTH)

On Thu, 9 Aug 2001, Jacob Palme wrote:

> At 08.14 -0700 01-08-09, Michael W. Condry wrote:
> >See draft-moore-using-http-01.txt
>
> One should distinguish between use of HTTP as a transfer protocol
> for other applications than web server-web client-communication,
> and use of port 80 to bypass firewalls.
>
> draft-moore-using-http-01.txt is to a large extent a warning
> against using HTTP as a transfer protocol. However, there are
> valid reasons why people want to use HTTP, in particular that
> existing software can be reused. And use of HTTP does not mean
> that one has to use port 80 in order to bypass firewalls. It was
> that practice which my message was mainly asking about.
> --
> Jacob Palme <jpalme@dsv.su.se> (Stockholm University and KTH)
> for more info see URL: http://www.dsv.su.se/jpalme/
>

Received on Friday, 10 August 2001 12:38:39 UTC