I think this discussion is really another manifestion of Ranum's Law: You can't solve social problems with software. Yes, you can make it harder, but *any* bidirectional channel can be used for tunneling. You have two choices: "persuade" employees that the firewall policies are reasonable (and take appropriate action if folks don't go along), or modify your firewall policy to conform to reality. That brings up my own "law": you can't use technical mechanisms to enforce a stronger security policy than the organizational culture will support. (I once made that observation when giving a talk at, umm, some government organization somewhere. I remarked over lunch that at least they had a culture that understood the need for security. My hosts gave me this pained look, before someone said "well, parts of the organization". I later told that story to someone else who worked there. Her response was "that's right; I have to get my job done, and I can't let the !@#$%^ firewall get in the way.") Your mileage may vary -- but probably not by very much. I'm endlessly amused by people who try to design new protocols to live on top of HTTP, simply because that's something that can often get through firewalls. My own opinion is that if you *need* to get something through a firewall, open up the port -- and instead design protocols that are easy to inspect and/or proxy. --Steve Bellovin
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:59:45 PDT