--On fredag, juli 15, 2005 13:11:09 -0700 "Hallam-Baker, Phillip"
<pbaker(_at_)verisign(_dot_)com> wrote:
From: Jeffrey Hutzelman [mailto:jhutz(_at_)cmu(_dot_)edu]
On Friday, July 15, 2005 11:48:28 AM -0700 "Hallam-Baker, Phillip"
<pbaker(_at_)verisign(_dot_)com> wrote:
Agree, for the most part. Fixed port numbers do have some
operational
advantages, though...
They certainly have operational advantages for managers of firewalls
that don't have the ability to perform filtering that is any more
specific.
And this had led protocol designers to run every new protocol over port
80 using the firewall bypass protocol HTTP.
One nice feature of using DNS is that it means that you can perform a
lot of control through the signalling channel alone.
warning... implementing control by denying information (such as not telling
the bad guy which port the secured-by-obscurity process is ACTUALLY running
on) is not terribly good security. It is certainly reasonable control over
people who want to be controlled ("management"), but not very good control
over people who do not want to be controlled ("security").
The story that comes to mind is attributed to the Norwegian railroad
company, early 1940 (in April 1940, Norway was occupied by Nazi
Germany....).
Head conductor: "And in case of war, how would you deny the enemy the
use of the railway system?"
Junior conductor: "Burn all the tickets, SIR!"
Of course, if all protocols (and their implementations) were sufficiently
secure themselves, firewalls wouldn't be needed, and the Net would be
simpler than it is. But wishing won't make it so....
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf