Firewall Wizards mailing list archives
Re: Firewall-Wizards Digest V1 #311
From: Matt Curtin <cmcurtin () interhack net>
Date: Mon, 31 May 1999 14:27:53 -0400 (EDT)
On Mon, 31 May 1999 10:42:45 -0700 (PDT),
Sandy Green <sand232 () yahoo com> said: Sandy> The NT OS or the Unix OS do not detect source routed Sandy> packets. So one would need another software to detect such Sandy> packets, and one would in all probability do this with a Sandy> firewall software.... That is not correct. Unix operating systems (specifically FreeBSD, NetBSD, OpenBSD, Linux, Solaris, and probably every other flavor) are capable of detecting source routed packets. With Unix there isn't the need for another layer of software to detect and to drop source-routed packets. Where another layer of software is involved anyway, the ability for the OS to detect such traffic is especially important when considering that in security systems--including firewalls--the "belt-and- suspenders" approach of redundancy should be the rule of design. That means that both the OS and the application(s) atop it should be configured to drop them. As should be router(s) around it. This way, if your application detects a source-routed packet, the correct behavior isn't simply to drop it, but to sound an alarm, because it means one of the other security mechanisms has been defeated. Thanks to everyone who answered my question. It sounds like, as usual, Microsoft's software doesn't deliver functionality that is absolutely critical in a security system, but they promise that it will be available in The Next Version. And so goes the vaporware from Redmond. That's why you'll find none of their cruft "protecting" any of my assets. -- Matt Curtin cmcurtin () interhack net http://www.interhack.net/people/cmcurtin/
Current thread:
- Re: Firewall-Wizards Digest V1 #311 Sandy Green (Jun 01)
- Re: Firewall-Wizards Digest V1 #311 Matt Curtin (Jun 01)
- Re: Firewall-Wizards Digest V1 #311 Carric Dooley (Jun 03)
- <Possible follow-ups>
- Re: Firewall-Wizards Digest V1 #311 Ryan Russell (Jun 03)
- Re: Firewall-Wizards Digest V1 #311 Chris Brenton (Jun 03)
- Re: Firewall-Wizards Digest V1 #311 Kevin Steves (Jun 14)
- Re: Firewall-Wizards Digest V1 #311 dreamwvr (Jun 03)
- Re: Firewall-Wizards Digest V1 #311 Chris Brenton (Jun 03)
- Re: Firewall-Wizards Digest V1 #311 Ryan Russell (Jun 03)
- Re: Firewall-Wizards Digest V1 #311 Ivan Arce (Jun 14)
- Re: Firewall-Wizards Digest V1 #311 Kevin Steves (Jun 14)
- Re: Firewall-Wizards Digest V1 #311 Matt Curtin (Jun 01)