Firewall Wizards mailing list archives
Re: Comparisons of Firewall-1 vs. PIX
From: "Mark Horn [ Net Ops ]" <mhornNOSPAM () NOSPAMfunb com>
Date: Wed, 30 Sep 1998 12:32:49 -0400
Jean-Christophe Touvet says:
I think your reply raises an interesting question: should source port filtering be considered mandatory for a firewall ? I'd say generally no, because firewalls are mainly used to protect networks from untrusted hosts, and if you don't trust a host, you can't trust source port of connections coming from it.
The specific example that I was thinking of was NTP. I want to be able to serve NTP to a particular site, but I want to make sure that end users at that site can't spam my NTP server. So, in cisco access-lists, I'd write: access-list 101 permit udp host site eq 123 host myserver eq 123 When it comes down to it there are at least 5 elements that uniquely determine a given data stream in UDP or TCP: Source Address Source Port Destination Address Destination Port Protocol Additionally, TCP has: Sequence Number Syn/Ack Bit If a firewall can't use all of those elements to uniquely identify a given data stream, then, IMHO, its not much of a firewall. It seems a bit of a stretch to me to say that there is never any value to source port filtering. It's just a tool. And having that tool and not using it is infinately better than not having the tool but needing it. -- Mark Horn <mhornNOSPAM () NOSPAMfunb com> PGP Public Key available at: http://www.es.net/hypertext/pgp.html PGP KeyID/fingerprt: 00CBA571/32 4E 4E 48 EA C6 74 2E 25 8A 76 E6 04 A1 7F C1
Current thread:
- Re: Comparisons of Firewall-1 vs. PIX Chris Hughes (Oct 01)
- <Possible follow-ups>
- Re: Comparisons of Firewall-1 vs. PIX Paul D. Robertson (Oct 01)
- Re: Comparisons of Firewall-1 vs. PIX Jean-Christophe Touvet (Oct 01)
- Re: Comparisons of Firewall-1 vs. PIX Kevin Steves (Oct 07)
- Re: Comparisons of Firewall-1 vs. PIX Jean-Christophe Touvet (Oct 01)
- Re: Comparisons of Firewall-1 vs. PIX Mark Horn [ Net Ops ] (Oct 01)
- Re: Comparisons of Firewall-1 vs. PIX Jan . Bervar (Oct 01)
- Re: Comparisons of Firewall-1 vs. PIX Woody Weaver (Oct 14)