Firewall Wizards mailing list archives

Re: non-IP firewalls

From: Chris Brenton <cbrenton () sover net>
Date: Thu, 30 Apr 1998 00:25:12 -0400

-= ArkanoiD =- wrote:

The answers made me wonder: people started to say things like "yes, firewall X
does support x.25, fddi, token ring, etc..". Such an answer gives me strong
impression that they mean "product X can firewall IP on x.25, fddi,
token ring.." which is completely different thing.


Agreed. Sounds like someone has their layers mixed up. ;)

A question is: what non-IP protocols can be (and should be) firewalled?


"Should" is implementation specific, "can is a whole different story.

IPX - filter RIPs and SAPs to control server access
You can control who can get to each server by blocking route and server
advertisements. This is not as clean as it may sound as you have a few limitations:

1) You can not filter on a per client basis (at least not that I have seen)
2) Depending on the config, you can circumvent the filtering

For example, let's say I have a client on network 1 and there are two servers on
network 2. I want the client to be able to access server A but not server B. While
I can filter out RIP/SAP so the client will not see the server, all the client has
to do is query server A for all known servers. This will tell me about server B and
allow me to connect up. To prevent this, I would have to hide server A&B from each
other, not a good thing in an NDS environment.

AT - Filter Zone names and network ranges
Again, not the best security control as I must block full ranges, I can not block
individual clients. AT devices dynamically grab a unique address on startup. This
means that I can not block individual clients as I can not predict which address
they will use. Yes this can be preset, but it's way to easy to reset it.

NetBIOS - ????
None that I know of beyond filtering out traffic to the multicast address
030000000001. This still is not cool as it would block all NEtBIOS/NEtBEUI traffic.
About the equivalent of just cutting the cable. You do get a bit of control if you
use scopes but this is way too easy to defeat.

Given the above descriptions, I guess IP is not all that insecure after all. ;)

Some people ask me if i can let ipx through firewalls i build - i answer no
just because i can't filter and monitor it properly and thus it will break the
security policy..


Cisco does a pretty good job of filtering IP, IPX and AT. NetWare 4.1 includes a
utility called filtcfg that can be run from the server console. You need to enable
support through inetcfg first, but it does a pretty cool job of controlling traffic
in multi-NIC servers.

Cheers,
Chris
--
**************************************
cbrenton () sover net

Multiprotocol Network Design & Troubleshooting
http://www.amazon.com/exec/obidos/ISBN=0782120822/0740-8883012-887529

Support the anti-spam movement: http://www.cauce.org/

Current thread:

Re: non-IP firewalls Chris Brenton (May 01)
- Re: non-IP firewalls David Phelan (May 07)
- <Possible follow-ups>
- Re: non-IP firewalls Bennett Todd (May 01)
- Re: non-IP firewalls Bernhard Schneck (May 01)
  - Re: non-IP firewalls Marcus J. Ranum (May 01)
  - Re: non-IP firewalls Mark Plesser (May 01)
- RE: non-IP firewalls Stout, William (May 01)