Firewall Wizards mailing list archives
Re: Comparisons of Firewall-1 vs. PIX
From: Jean-Christophe Touvet <jct () edelweb fr>
Date: Wed, 30 Sep 1998 20:45:06 +0200
Mark wrote:The specific example that I was thinking of was NTP. I want to be able to serve NTP to a particular site, but I want to make sure that end users at that site can't spam my NTP server. So, in cisco access-lists, I'd write: ... It seems a bit of a stretch to me to say that there is never any value to source port filtering. It's just a tool. And having that tool and not using it is infinately better than not having the tool but needing it.
Hmm, I don't think I said that it's never valuable. Let me clarify my point of view. Today, no secure protocol relies on source port. Let's take the example of NTP: if you want security for this service, relying on source port/address of packets is IMHO the wrong way to go. Don't forget that it's UDP based, thus IP spoofing is trivial in this case. You should rather use NTP authentication, with a key file readable only by root on the remote machine. Even if I can see specific cases where source port filtering is valuable (especially when writing filters for stateless devices), I still don't think that one should ban a Firewall just because it never lets write rules which trust source ports.
And Paul wrote:If misuse were a candidate, and internal firewalling were not an issue, then maybe you'd have a case, but your limitations seem arbitary to me.
Yes, I've seen much more misuse than clever use of source port filtering at customers sites. But maybe European netadmins are undereducated ;-) I also think that it was clear in my previous message that I wouldn't use PIX for Intranet multidirectional Firewalling, since it's not designed for this purpose. Regards, -JCT-
Current thread:
- Re: Comparisons of Firewall-1 vs. PIX Chris Hughes (Oct 01)
- <Possible follow-ups>
- Re: Comparisons of Firewall-1 vs. PIX Paul D. Robertson (Oct 01)
- Re: Comparisons of Firewall-1 vs. PIX Jean-Christophe Touvet (Oct 01)
- Re: Comparisons of Firewall-1 vs. PIX Kevin Steves (Oct 07)
- Re: Comparisons of Firewall-1 vs. PIX Jean-Christophe Touvet (Oct 01)
- Re: Comparisons of Firewall-1 vs. PIX Mark Horn [ Net Ops ] (Oct 01)
- Re: Comparisons of Firewall-1 vs. PIX Jan . Bervar (Oct 01)
- Re: Comparisons of Firewall-1 vs. PIX Woody Weaver (Oct 14)