Re: Comparisons of Firewall-1 vs. PIX

["Mark Horn [ Net Ops ]" <mhornNOSPAM () NOSPAMfunb com>]

Jean-Christophe Touvet says:
> I think your reply raises an interesting question: should source port
> filtering be considered mandatory for a firewall ?
>
> I'd say generally no, because firewalls are mainly used to protect networks
> from untrusted hosts, and if you don't trust a host, you can't trust source
> port of connections coming from it. 

The specific example that I was thinking of was NTP.  I want to be able to
serve NTP to a particular site, but I want to make sure that end users at
that site can't spam my NTP server.  So, in cisco access-lists, I'd write:

        access-list 101 permit udp host site eq 123 host myserver eq 123

When it comes down to it there are at least 5 elements that uniquely
determine a given data stream in UDP or TCP:

        Source Address
        Source Port
        Destination Address
        Destination Port
        Protocol

Additionally, TCP has:

        Sequence Number
        Syn/Ack Bit

If a firewall can't use all of those elements to uniquely identify a given
data stream, then, IMHO, its not much of a firewall.

It seems a bit of a stretch to me to say that there is never any value to
source port filtering.  It's just a tool.  And having that tool and not
using it is infinately better than not having the tool but needing it.

-- 
Mark Horn <mhornNOSPAM () NOSPAMfunb com>

PGP Public Key available at: http://www.es.net/hypertext/pgp.html
PGP KeyID/fingerprt: 00CBA571/32 4E 4E 48 EA C6 74 2E 25 8A 76 E6 04 A1 7F C1