Ivan Fox wrote: > If users can bypass a firewall, what's the point of having a firewall? Firewalls are to keep the bad packets out. Firewalls are completely ineffective at keeping the users in. They were not designed to contain users, and are completely incapable of containing a determined user. For a counter-example to the idea of using firewalls to contain inside users, consider MJR's demo-ware that implemented TCP/IP over top of DNS requests. If you can get any data at all out, then you can put TCP/IP on top of it, and from there you can do anything. Thus for security purposes, firewalls are strictly access control devices to control what outsiders can do to your inside. Your firewall may be performing some kind of control on what your inside users can pass out, but it is strictly a convenience factor. A determined user can always push out if they want to. Crispin ----- Crispin Cowan, CTO, WireX Communications, Inc. http://wirex.com Free Hardened Linux Distribution: http://immunix.org JOBS! http://immunix.org/jobs.html
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:03:22 PDT