Re: Comparisons of Firewall-1 vs. PIX

[Jean-Christophe Touvet <jct () edelweb fr>]

> > > Mark wrote:
> The specific example that I was thinking of was NTP.  I want to be able to
> serve NTP to a particular site, but I want to make sure that end users at
> that site can't spam my NTP server.  So, in cisco access-lists, I'd write:
>       ...
> It seems a bit of a stretch to me to say that there is never any value to
> source port filtering.  It's just a tool.  And having that tool and not
> using it is infinately better than not having the tool but needing it.

 Hmm, I don't think I said that it's never valuable. Let me clarify my point
of view.

 Today, no secure protocol relies on source port. Let's take the example of
NTP: if you want security for this service, relying on source port/address of
packets is IMHO the wrong way to go. Don't forget that it's UDP based, thus
IP spoofing is trivial in this case. You should rather use NTP authentication,
with a key file readable only by root on the remote machine.

 Even if I can see specific cases where source port filtering is valuable
(especially when writing filters for stateless devices), I still don't think
that one should ban a Firewall just because it never lets write rules which
trust source ports.

> > > And Paul wrote:
> If misuse were a candidate, and internal firewalling were not an 
> issue, then maybe you'd have a case, but your limitations seem arbitary 
> to me.

 Yes, I've seen much more misuse than clever use of source port filtering at
customers sites. But maybe European netadmins are undereducated ;-)

 I also think that it was clear in my previous message that I wouldn't use
PIX for Intranet multidirectional Firewalling, since it's not designed for
this purpose.

 Regards,

    -JCT-