OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
NFR Wizards Archive: Re: Firewall-Wizards Digest V1 #311

Re: Firewall-Wizards Digest V1 #311

Matt Curtin (cmcurtininterhack.net)
Mon, 31 May 1999 14:27:53 -0400 (EDT)

>>>>> On Mon, 31 May 1999 10:42:45 -0700 (PDT),
      Sandy Green <sand232yahoo.com> said:

Sandy> The NT OS or the Unix OS do not detect source routed
Sandy> packets. So one would need another software to detect such
Sandy> packets, and one would in all probability do this with a
Sandy> firewall software....

That is not correct. Unix operating systems (specifically FreeBSD,
NetBSD, OpenBSD, Linux, Solaris, and probably every other flavor) are
capable of detecting source routed packets.

With Unix there isn't the need for another layer of software to detect
and to drop source-routed packets.

Where another layer of software is involved anyway, the ability for
the OS to detect such traffic is especially important when considering
that in security systems--including firewalls--the "belt-and-
suspenders" approach of redundancy should be the rule of design. That
means that both the OS and the application(s) atop it should be
configured to drop them. As should be router(s) around it.

This way, if your application detects a source-routed packet, the
correct behavior isn't simply to drop it, but to sound an alarm,
because it means one of the other security mechanisms has been
defeated.

Thanks to everyone who answered my question. It sounds like, as
usual, Microsoft's software doesn't deliver functionality that is
absolutely critical in a security system, but they promise that it
will be available in The Next Version. And so goes the vaporware from
Redmond. That's why you'll find none of their cruft "protecting" any
of my assets. 

-- 
Matt Curtin cmcurtininterhack.net http://www.interhack.net/people/cmcurtin/

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:18:59 CDT