Re: [TLS] Next protocol negotiation

Yoav Nir <ynir@checkpoint.com> Thu, 21 January 2010 05:52 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A7B073A6894 for <tls@core3.amsl.com>; Wed, 20 Jan 2010 21:52:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AaxmTopMkoRl for <tls@core3.amsl.com>; Wed, 20 Jan 2010 21:52:12 -0800 (PST)
Received: from dlpdemo.checkpoint.com (dlpdemo.checkpoint.com [194.29.32.54]) by core3.amsl.com (Postfix) with ESMTP id 571B73A6876 for <tls@ietf.org>; Wed, 20 Jan 2010 21:52:12 -0800 (PST)
X-CheckPoint: {4B57E919-10004-14201DC2-FFFF}
Received: by dlpdemo.checkpoint.com (Postfix, from userid 105) id 714F229C005; Thu, 21 Jan 2010 07:52:07 +0200 (IST)
Received: from michael.checkpoint.com (michael.checkpoint.com [194.29.32.68]) by dlpdemo.checkpoint.com (Postfix) with ESMTP id 4450929C002; Thu, 21 Jan 2010 07:52:07 +0200 (IST)
X-CheckPoint: {4B57E918-10000-14201DC2-FFFF}
Received: from il-ex01.ad.checkpoint.com (il-ex01.checkpoint.com [194.29.32.26]) by michael.checkpoint.com (8.12.10+Sun/8.12.10) with ESMTP id o0L5q7T7018761; Thu, 21 Jan 2010 07:52:07 +0200 (IST)
Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex01.ad.checkpoint.com ([126.0.0.2]) with mapi; Thu, 21 Jan 2010 07:52:21 +0200
From: Yoav Nir <ynir@checkpoint.com>
To: Marsh Ray <marsh@extendedsubset.com>
Date: Thu, 21 Jan 2010 07:51:57 +0200
Thread-Topic: [TLS] Next protocol negotiation
Thread-Index: AcqaXeUVOeMquNcsTxOGPoGIYDDSqQ==
Message-ID: <B86D8ECB-A4C0-4A2E-88AB-230E81903FC6@checkpoint.com>
References: <C77C8BDE.E62A%dispensa@phonefactor.com> <4B573548.3090804@extendedsubset.com>
In-Reply-To: <4B573548.3090804@extendedsubset.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Next protocol negotiation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Jan 2010 05:52:13 -0000

On Jan 20, 2010, at 6:54 PM, Marsh Ray wrote:

> Steve Dispensa wrote:
>> On 1/20/10 10:26 AM, "Marsh Ray" <marsh@extendedsubset.com>; wrote:
>>> One point of view is that firewall admins are ports because of their
>>> intentional policies and it is their right to control what goes on on
>>> their own network.
>> 
>> That's giving many administrators too much credit; the new WizBang
>> FireScannerProxyWallThingy(TM) is configured to automatically block anything
>> and everything, because that's what WizBang's coders read was best practice
>> in the latest Gartner report, and the administrator is only dimly aware of
>> what's really going on. He just knows he can check the box on this year's
>> SAS-70 audit.
> 
> That's an intentional policy which is their right to set (whether it's a
> good one or not).
> 
>> Surely you're right some of the time, but I suspect stuff gets automatically
>> blocked more often than not.
> 
> Blocking outbound connections based on destination port number is
> particularly stupid since it's a parameter trivially controlled by an
> attacker.
> 
> It's more a tactic to discourage people within the organization from
> using new protocols. Malware won't have any problems though.

That's right. The standard policy for firewalls these days, is to allow only ports 80+443 for the general population (The SMTP and DNS servers get to do more).
Port 80 gets deep inspected to see that it's standard WEB (with different products having different interpretations of "WEB" - some of them block Skype, others don't) and port 443 gets inspected for "looking like SSL", meaning handshake and application data records with reasonable lengths. This kind of policy can still work at line speed on modern hardware, and is very popular with auditors. It has the advantage that it is successful in blocking bandwidth wasters like file sharing, and the better product allow the administrator to configure whether to allow various peer2peer applications like Skype, GTalk or Messenger.

> 
> There will never be a clean and standardized way to get around firewalls
> that are trying to block you. Once a technique shows up on the radar,
> sooner or later it will get subjected to policy. The radar seems to get
> faster over time, too.

Thanks. We try.  :-)

> 
> For a high-profile company like Google to develop a new transport for
> the web, the best method might very well be to just get a proper port
> number allocation and make the protocol useful and secure enough that
> admins actually let it thorough. One thing that might help would be to
> make it easy for filtering proxies to inspect.

Google may seem high-profile, but even Microsoft, which is even more high-profile had to resort to the "everything over the web ports" for messenger.