Hi Nathan, Thanks for your comments. Please see responses inline. Nathan Ward wrote:
On 13/10/2008, at 4:38 PM, Suresh Krishnan wrote:The description of this method is not precise. Is the method to block dest ports, with these source ports, or either, or both?One simple method to do that is easy to employ for many tunnel protocols is to block outbound packets to the UDP or TCP port used (e.g., UDP port 3544 for Teredo, UDP port 1701 for L2TP, etc.).The method is to block destination ports. We have changed this sentence to read (e.g., destination UDP port is 3544 for Teredo, UDP port 1701 for L2TP, etc.)This makes me squirm a bit.It seems silly to promote blocking discrete ports, when a user could simply run their own Teredo server on a different port and tunnel out with that, or run any other proxy or tunnel server of some kind on any port they wanted. We've all run PPP over SSH before, it's not hard to do this stuff, there are tools to do it automatically.
You are right. This will not stop people from tunneling over other ports. But what would you propose to be done instead?
If an organisation is concerned about people tunnelling through their firewalls, they must use default-deny if they want to have any effect.
Given the savvy user you mentioned above, I don't understand how this will have any effect either. The users can still tunnel over anything that has been permitted ahead of the default deny.
First, I'm going to read the sentence as if the word 'managed' was not used as I think all networks on the Internet are 'managed' to some degree. If the authors had a particular definition of the term 'managed network' in mind, they should define it. So reading the sentence without the term 'managed', this is basically a general applicability statement that use of tunneling over UDP or TCP is not recommend for use to 'reach the Internet'. I don't see this recommendation as being appropriate given the issue.In 3.1.3, Tunneling over UDP or TCP (including HTTP) to reach the Internet is not recommended as a solution for managed networks.We have changed this text to read " Tunneling over UDP or TCP (including HTTP) to reach the Internet is not recommended as a solution for networks that wish to enforce security polcies on the user traffic. (Windows, for example, disables Teredo by default if it detects that it is within an enterprise network that contains a Windows domain controller.)"Why tunnelling over UDP or TCP? Why not tunnelling in IP as in 6to4?I don't imagine that UDP makes it any more difficult to inspect than an IP protocol.I think this statement should be changed to "Tunnelling through a security device (ie. firewall) is not recommended for.. " etc.
Sounds good. We will make this change. Cheers Suresh