Re: Router filtering not enough! (Was: Re: CERT advisory )

[D.Mitchell () dcs shef ac uk (Dave Mitchell)]

"Jonathan M. Bresler" <jmb () kryten Atinc COM> writes:
> On Tue, 24 Jan 1995, Jim Duncan wrote:
>
> > > As has been pointed out, only network or
> > > transport-level encryption will entirely block these attacks.
> >
> > That's correct.  That and teach people the difference between identification
> > and authentication.
>
>       a filtering router is enough to prevent this attack from being 
> used from "the outside".

This is all well and good as long as there is a simple "inside"/"outside"
distinction. I am in this happy situation at the moment, and I have a filter
between my dept and the main campus which rejects external packets claiming
an internal src IP address. HOWEVER, I am likely to come under political
pressure soon to allow R-protocol, NFS, etc to a machine on the other
side of this filter. At which point my filter is virtually useless.

So I think its true to say that as a generalisation, encryption *is*
the only way to block attacks.


Dave.

* David Mitchell, Systems Administrator,    email: D.Mitchell () dcs shef ac uk
* Dept. Computer Science, Sheffield Uni.    phone: +44 114-282-5573
* 211 Portobello St, Sheffield S1 4DP, UK.  fax:   +44 114-278-0972
*
* Standards (n). Battle insignia or tribal totems