大多数防火墙的默认配置是否允许安全TCP与HTTPS相同？ [英] Does most firewalls default configuration allow secured TCP the same as HTTPS?

问题描述

我需要实现从客户端到服务器的安全数据传输（二进制数据）。我正在寻找不需要客户端配置防火墙例外的解决方案。

I need to implement secure data transfer from client to server (binary data). I'm looking for the solution that doesn't require clients to configure firewall exceptions.

明显的选择是HTTPS。大多数防火墙默认允许传出HTTPS。 HTTPS存在两个问题：

Obvious choice is HTTPS. Most firewalls allow outgoing HTTPS by default. There're two issues with HTTPS:

1. 我不想实现HTTPS（即使是最简单的版本），因为我不需要它的复杂性。简单的自定义安全二进制协议就足够了。

1. I don't want to implement HTTPS (even the simplest possible version) because I don't need its complexity. Simple custom secure binary protocol would be enough.

我想避免将二进制数据放入HTTP POST消息所需的base64编码开销（请如我错了请纠正我）。客户端在弱硬件（嵌入式系统）上运行。

I'd like to avoid overhead of base64 encoding required for binary data to be put into HTTP POST message (please correct me if I'm wrong). Client runs on weak hardware (embedded system).

现在，我的假设。由于HTTPS是加密的（根据定义），防火墙无法解析它或检查数据是否为base64编码。这意味着我可以使用我的自定义TCP安全协议使用HTTPS端口（443）来模仿HTTPS，防火墙将无法将其与HTTPS区分开来。请确认或解释我的错误。

Now, my assumptions. Since HTTPS is encrypted (by definition), firewall cannot parse it or check if data is base64 encoded. This means I can use my custom TCP secured protocol using HTTPS port (443) to imitate HTTPS and firewall won't be able to distinguish it from HTTPS. Please confirm or explain what's my mistake.

推荐答案

IMO防火墙并不是一个好的防火墙，除非默认配置是拒绝所有进/出（例如，这是Juniper SRX和Cisco ASA默认执行的操作）。 最常见的防火墙配置通常允许HTTPS通过。

IMO a firewall is not really a good firewall, unless the "default" configuration is to deny everything in/out (for instance, this is what a Juniper SRX and Cisco ASA do by default). The most common firewall configurations typically allow HTTPS through.

至于建立自己的自定义协议，请关注披萨（和你自己的） sanity）使用已经存在的许多标准化文件传输协议之一......选项是敞开的，例如 ftp ， rsync ， http （见下文）， scp 和 sftp 。

As for building your own custom protocol, please for the love of pizza (and your own sanity) use one of the many standardized file transfer protocols that already exist... the choices are wide open, such as ftp, rsync, http (see below), scp, and sftp.

你需要考虑两件事......

Two things you need to think about...

• 首先需要担心的是，如果您的客户端执行某种深度数据包检查，以验证您不仅仅是通过TCP / 443隧道传输其他内容。这在今天并不常见，但有些人会这样做。


• 另一点，有些人（你可能会惊讶于多少人）获得通用SSL证书并为所有人建立透明代理HTTP / HTTPS。那会弄乱你的计划;此时你需要https和POST。

• The first thing you need to worry about is if your clients perform some kind of deep packet inspection to verify that you aren't just tunneling "other stuff" through TCP/443. This isn't common today, but some people do it.
• Another point, some people (you may be surprised at how many) get a generic SSL certificate and build a transparent proxy for all http/https. That will mess your plans up; at this point you need https and POST.

这篇关于大多数防火墙的默认配置是否允许安全TCP与HTTPS相同？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！