>From email@example.com Wed Dec 1 17:44:07 1993
Date: Wed, 1 Dec 93 17:42:55 CST
From: firstname.lastname@example.org (Ying-Da Lee)
To: email@example.com, firstname.lastname@example.org
Subject: Re: Comparing firewall packages...
X-Mailing-List: email@example.com (SOCKS discussion list)
>I will be working with SOCKS now. Any information would be
>appreciated. I just want to know how secure SOCKS is, and what
>guarantees can be made about it... Thanks.
I don't know about guarantees. Should we start with 'as far as I
know, there is no way...' and see where it ends?
As far as I know, there is no way to initiate an attack into your
firewalled internal network through SOCKS if your SOCKS server is
properly configured. For example, if your internal network is
200.100.50 and you put the line
deny 0.0.0.0 0.0.0.0 184.108.40.206 255.255.255.0
at the top of your sockd.conf, the SOCKS server will fend off
all attempts to go through it to reach your inside hosts. No
routing tricks or IP address spoofing will make any difference.
This is not to say that you are not incurring some risks by
running SOCKS. You are, but these are the risks/vulnerabilities
accompanying the applications you allow to run on top of SOCKS,
not with SOCKS itself. For example, doing any network communication
without encryption runs the risk of having your password or other
confidential information stolen, whether you use SOCKS or not.
Blindly "displaying" a postscript file can end in a disaster
regardless of whether you retrieved the file through SOCKS or
not. SOCKS doesn't add more on top of these risks, but it doesn't
help you deal with them either.
It really can't if SOCKS is to remain a general purpose TCP relayer
without delving into the specific application protocols. This accounts
for the server's high efficiency. This independence of the application
protocol also makes it easy to convert an application program into a
SOCKS client. In addition, SOCKS probably will have a fairly easy time
accommodating security devices in the application protocols if and when
they are used.
So, if on balance you find the security risks of existing telnet, ftp,
Mosaic, etc. outweigh their usefulness to you and you are unable or
unwilling to develop a more secure version, then SOCKS is not for you.
If the balance tilts the other way, welcome to SOCKS.
I hope that's enough for a start.
Ying-Da Lee (214)518-3490 (214)518-3552 (FAX)
Principal Member, Technical Staff
NEC Systems Laboratory, C&C Software Technology Center /
NEC USA, Corporate Network Administration Division
The rest of this message was automatically appended by the socks list
mail munger. To send a message to the entire list, address it to:
firstname.lastname@example.org. However, if you want to get off the list or
change your address, please send a message to email@example.com,
and NOT the entire list. Thank you.