Re: Firewall-Wizards Digest V1 #311

[Matt Curtin <cmcurtin () interhack net>]

> > > > > On Mon, 31 May 1999 10:42:45 -0700 (PDT),
      Sandy Green <sand232 () yahoo com> said:

Sandy> The NT OS or the Unix OS do not detect source routed
Sandy> packets. So one would need another software to detect such
Sandy> packets, and one would in all probability do this with a
Sandy> firewall software....

That is not correct.  Unix operating systems (specifically FreeBSD,
NetBSD, OpenBSD, Linux, Solaris, and probably every other flavor) are
capable of detecting source routed packets.

With Unix there isn't the need for another layer of software to detect
and to drop source-routed packets.

Where another layer of software is involved anyway, the ability for
the OS to detect such traffic is especially important when considering
that in security systems--including firewalls--the "belt-and-
suspenders" approach of redundancy should be the rule of design.  That
means that both the OS and the application(s) atop it should be
configured to drop them.  As should be router(s) around it.

This way, if your application detects a source-routed packet, the
correct behavior isn't simply to drop it, but to sound an alarm,
because it means one of the other security mechanisms has been
defeated.

Thanks to everyone who answered my question.  It sounds like, as
usual, Microsoft's software doesn't deliver functionality that is
absolutely critical in a security system, but they promise that it
will be available in The Next Version.  And so goes the vaporware from
Redmond.  That's why you'll find none of their cruft "protecting" any
of my assets.

-- 
Matt Curtin cmcurtin () interhack net http://www.interhack.net/people/cmcurtin/