From: Billy Crook <billycrook@gmail.com>
To: paddy joesoap <paddyjoesoap@gmail.com>
Cc: netfilter@vger.kernel.org
Subject: Re: In practice how are firewalls used to protect IM traffic?
Date: Tue, 15 Jun 2010 06:22:05 -0500 [thread overview]
Message-ID: <AANLkTinSfIfpy-irvVxsCChipmnroPogtCuYXXQ4dGEe@mail.gmail.com> (raw)
In-Reply-To: <AANLkTiknNHF-vDIDN0L3eho8KXP2w3sjzE-n3O6swrw0@mail.gmail.com>
On Tue, Jun 15, 2010 at 06:00, paddy joesoap <paddyjoesoap@gmail.com> wrote:
> In securing XMPP (Jabber, IM) servers, what role does an iptables
> firewall play in practice.
Not a big role in and of itself if by server you mean the process that
accepts connections from clients.
> The XMPP community tend to think of TLS communication channels only
That's an overstatement
> I'd imagine that some enterprises want to inspect at the firewall (or
> ...
> with IM conversations is blocked. In such scenarios, is it best
> practice to remove the TLS option and thereby loosing some proof of
> identify (certificates) in favour of deep packet inspection?
Another option is for that enterprise to maintain a malicious root
certificate internally with which to generate spoofed domain certs on
the fly. This has been done for https already in several products.
Whether this practice, or outright banning of encrypted outbound
connections is 'best practice' is a matter of opinion. I would say
no.
> Are there scenarios where an enterprise that is geographically spread
> who use VPN's such that they do not require TLS encryption on the XMPP
How large does an enterprise need to be before the risk of malicious
interception within its own network is as reasonable as on the public
internet? I don't take for granted that my physical lan is inherently
secure. End to end encryption will only become more popular. I was
hoping for it to be managed by the kernels of the endpoints and happen
in the form of automatic IPSec, but running TLS in the client/server
software has proven more attractive to most people.
> While XMPP servers such as Openfire have TLS functionality end-to-end,
> are these used in practice by security administrators or is some of
> the communication desired in the clear for DPI.
My vote goes to end to end, untainted TLS. Run selinux/apparmor/grsec
on the server if you understand essential server daemons can have
bugs.
> While I understand that layer 7 filtering should really be left to
> application specific filters, iptables has some functionality with its
I'd still leave the filtering to an IDS, and let the IDS att rules to
the firewall in real time.
next prev parent reply other threads:[~2010-06-15 11:22 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-06-15 11:00 In practice how are firewalls used to protect IM traffic? paddy joesoap
2010-06-15 11:22 ` Billy Crook [this message]
2010-06-16 8:37 ` Jan Engelhardt
2010-06-17 12:19 ` paddy joesoap
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=AANLkTinSfIfpy-irvVxsCChipmnroPogtCuYXXQ4dGEe@mail.gmail.com \
--to=billycrook@gmail.com \
--cc=netfilter@vger.kernel.org \
--cc=paddyjoesoap@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).