Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > NFR Wizards> 1998

NFR Wizards Archive: Re: Comparisons of Firewall-1 vs. PIX

Re: Comparisons of Firewall-1 vs. PIX

Jean-Christophe Touvet (jctedelweb.fr)
Wed, 30 Sep 1998 20:45:06 +0200

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: Darren Reed: "Re: are firewalls limited to only protecting ehternet connections?"
Previous message: Kees Hendrikse: "Re: BIND bindings"
Next in thread: Kevin Steves: "Re: Comparisons of Firewall-1 vs. PIX"
Reply: Kevin Steves: "Re: Comparisons of Firewall-1 vs. PIX"

>>> Mark wrote:
> The specific example that I was thinking of was NTP. I want to be able to
> serve NTP to a particular site, but I want to make sure that end users at
> that site can't spam my NTP server. So, in cisco access-lists, I'd write:
> ...
> It seems a bit of a stretch to me to say that there is never any value to
> source port filtering. It's just a tool. And having that tool and not
> using it is infinately better than not having the tool but needing it.

Hmm, I don't think I said that it's never valuable. Let me clarify my point
of view.

Today, no secure protocol relies on source port. Let's take the example of
NTP: if you want security for this service, relying on source port/address of
packets is IMHO the wrong way to go. Don't forget that it's UDP based, thus
IP spoofing is trivial in this case. You should rather use NTP authentication,
with a key file readable only by root on the remote machine.

Even if I can see specific cases where source port filtering is valuable
(especially when writing filters for stateless devices), I still don't think
that one should ban a Firewall just because it never lets write rules which
trust source ports.

>>> And Paul wrote:
> If misuse were a candidate, and internal firewalling were not an
> issue, then maybe you'd have a case, but your limitations seem arbitary
> to me.

Yes, I've seen much more misuse than clever use of source port filtering at
customers sites. But maybe European netadmins are undereducated ;-)

I also think that it was clear in my previous message that I wouldn't use
PIX for Intranet multidirectional Firewalling, since it's not designed for
this purpose.

Regards,

-JCT-

Next message: Darren Reed: "Re: are firewalls limited to only protecting ehternet connections?"
Previous message: Kees Hendrikse: "Re: BIND bindings"
Next in thread: Kevin Steves: "Re: Comparisons of Firewall-1 vs. PIX"
Reply: Kevin Steves: "Re: Comparisons of Firewall-1 vs. PIX"

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:11:55 CDT