![](/i/fill.gif) |
![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
>> To this day I have never yet seem a firewall which blocks *outbound*
>> traffic. So I don't see why this would even be an issue.
>>
>
> That's because you haven't seen many firewalls!
>
> At my current place of employment, there are three different layers of
> firewalls between the user environment and the public Internet. not only
> do each layer block unauthorized traffic in both directions, there isn't
> even a default route out to the Internet. You need to talk to the proxy
> server infrastructure, and it only accepts specific ports.
>
> And looking in the other direction, there are also firewalls between the
> labs, UAT environments, and regular network, as well as protecting the
> mainframes from the unwashed masses.
>
> For B2B extranets, it's even more prevalent. There, firewalls will
> usually also be very strict in what they allow out, because the last
> thing you want is a letter from the legal dept. of Boeing, NASA, or say,
> the London Stock Exchange saying you are trying to infect their network
> with bots.
And you're seriously saying that somebody would go to all that trouble,
and then allow arbitrary Internet traffic so long as it's on TCP port 80?
Post a reply to this message
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
Le 2011-11-28 04:02, Invisible a écrit :
>>> To this day I have never yet seem a firewall which blocks *outbound*
>>> traffic. So I don't see why this would even be an issue.
>>>
>>
>> That's because you haven't seen many firewalls!
>>
>> At my current place of employment, there are three different layers of
>> firewalls between the user environment and the public Internet. not only
>> do each layer block unauthorized traffic in both directions, there isn't
>> even a default route out to the Internet. You need to talk to the proxy
>> server infrastructure, and it only accepts specific ports.
>>
>> And looking in the other direction, there are also firewalls between the
>> labs, UAT environments, and regular network, as well as protecting the
>> mainframes from the unwashed masses.
>>
>> For B2B extranets, it's even more prevalent. There, firewalls will
>> usually also be very strict in what they allow out, because the last
>> thing you want is a letter from the legal dept. of Boeing, NASA, or say,
>> the London Stock Exchange saying you are trying to infect their network
>> with bots.
>
> And you're seriously saying that somebody would go to all that trouble,
> and then allow arbitrary Internet traffic so long as it's on TCP port 80?
Where did I say that?
I did say that traffic has to go through a proxy before getting out,
didn't I? Since, as you point out, lots of thought went into designing
the various security zones and their respective security policies, one
can safely assume that a similar level of care went into designing the
proxy infrastructure. Of course URLs are filtered, pages scanned on the
fly, java applet signatures verified, etc...
If I'm really lucky, I'd be able to listen to some streaming radio site,
but my internet usage would probably be reported to my manager.
Thankfully, I work from home most of the time, so I don't have to worry
about losing my job because I spent a few minutes watching a Youtube video.
--
/*Francois Labreque*/#local a=x+y;#local b=x+a;#local c=a+b;#macro P(F//
/* flabreque */L)polygon{5,F,F+z,L+z,L,F pigment{rgb 9}}#end union
/* @ */{P(0,a)P(a,b)P(b,c)P(2*a,2*b)P(2*b,b+c)P(b+c,<2,3>)
/* gmail.com */}camera{orthographic location<6,1.25,-6>look_at a }
Post a reply to this message
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
>> And you're seriously saying that somebody would go to all that trouble,
>> and then allow arbitrary Internet traffic so long as it's on TCP port 80?
>
> Where did I say that?
Well, you didn't. But this whole "everybody uses HTTP because it goes
through the firewall" seems absurd to me, because... well... people
filter HTTP traffic too, no?
Post a reply to this message
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
On 11/28/2011 1:02, Invisible wrote:
> And you're seriously saying that somebody would go to all that trouble, and
> then allow arbitrary Internet traffic so long as it's on TCP port 80?
Not any more. Now people invented "application-layer proxies" to prevent you
from doing that sort of crap.
Look up "push web" online. That's what they used to call this stuff before
it became just a normal part of doing business.
--
Darren New, San Diego CA, USA (PST)
People tell me I am the counter-example.
Post a reply to this message
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
On Mon, 28 Nov 2011 09:02:07 +0000, Invisible wrote:
> And you're seriously saying that somebody would go to all that trouble,
> and then allow arbitrary Internet traffic so long as it's on TCP port
> 80?
Yep, lots of businesses do that.
When I was traveling to teach, I would often (after getting approval from
the client) tunnel through HTTP to get ssh and (primarily) e-mail
connections to my corporate servers.
Jim
Post a reply to this message
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
>> And you're seriously saying that somebody would go to all that trouble,
>> and then allow arbitrary Internet traffic so long as it's on TCP port
>> 80?
>
> Yep, lots of businesses do that.
That's kind of bizarre, don't you think?
> When I was traveling to teach, I would often (after getting approval from
> the client) tunnel through HTTP to get ssh and (primarily) e-mail
> connections to my corporate servers.
I can see how it would be pretty trivial to just run SSH over TCP port
80. But I don't see how you can tunnel SSH over HTTP...
Post a reply to this message
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
On Tue, 29 Nov 2011 09:02:46 +0000, Invisible wrote:
>>> And you're seriously saying that somebody would go to all that
>>> trouble,
>>> and then allow arbitrary Internet traffic so long as it's on TCP port
>>> 80?
>>
>> Yep, lots of businesses do that.
>
> That's kind of bizarre, don't you think?
Not really, identifying what the traffic actually is requires a fair bit
of work.
>> When I was traveling to teach, I would often (after getting approval
>> from the client) tunnel through HTTP to get ssh and (primarily) e-mail
>> connections to my corporate servers.
>
> I can see how it would be pretty trivial to just run SSH over TCP port
> 80. But I don't see how you can tunnel SSH over HTTP...
Go have a look at the program 'httptunnel'. You do need a listener on
the outside.
Jim
Post a reply to this message
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |