Firewall Wizards mailing list archives
RE: terminal services
From: "Reckhard, Tobias" <tobias.reckhard () secunet com>
Date: Wed, 29 Jan 2003 08:26:20 +0100
Barney Wolff <barney () pit databus com> wrote on January 29, 2003 1:36 AM:
Any network without a state-keeping firewall between it and the Internet really needs to have just one or two DNS cacheing proxies doing requests from port 53, ditto NTP, and block all other UDP. Anything else is just too dangerous, not by a little, but by a whole lot.
Source ports are worth pretty much zilch when filtering TCP or UDP. It's not a good security decision to design a filter that attempts to allow (only) outbound DNS queries based on outbound packets having source port 53 and inbound packet having destination port 53. Rather, the source port (in the outbound direction) should be able to be pretty much anything, while the destination port is the one that needs to be checked. Same for NTP or any other service. There are protocols that use fixed client as well as server ports. IKE appears to be one of them (but DNS and NTP definitely aren't). You can configure your packet filter, stateful or not, more restrictively by restricting the source ports used. It may buy you some added security. Most of the time, that won't be much, though. Cheers, Tobias _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: terminal services, (continued)
- Re: terminal services Steven M. Bellovin (Jan 28)
- RE: terminal services Noonan, Wesley (Jan 28)
- RE: terminal services R. DuFresne (Jan 28)
- RE: terminal services Paul D. Robertson (Jan 28)
- Re: terminal services Barney Wolff (Jan 28)
- RE: firewall design (was: RE: terminal services ) m p (Jan 29)
- RE: terminal services R. DuFresne (Jan 28)
- RE: terminal services Paul D. Robertson (Jan 28)
- RE: terminal services R. DuFresne (Jan 28)
- Message not available
- RE: terminal services Marcus J. Ranum (Jan 28)
- Re: terminal services Barney Wolff (Jan 29)
- Re: terminal services Paul Robertson (Jan 29)
- Re: terminal services Barney Wolff (Jan 30)
- Re: DNS security (Was: re: terminal services) Mikael Olsson (Jan 31)