|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Interesting DNS Traffic -Reply -Reply
Einar EINARSSON (einar.einarsson
iea.org)
Thu, 03 Jun 1999 18:16:00 +0100
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- Next message: Andrew Gilbert: "Re: Firewall RISKS"
- Previous message: Steven M. Bellovin: "Re: Anybody have a clue why..."
- Maybe in reply to: Will Kempf: "Anybody have a clue why..."
- Next in thread: Ge' Weijers: "Re: Interesting DNS Traffic -Reply -Reply"
- Reply: Ge' Weijers: "Re: Interesting DNS Traffic -Reply -Reply"
OK, packet filters are not the definitive answers to network
insecurity, there are weaknesses, etc. but still it won't hurt if
I put a few of those in there, right ? So as try to put together
the filtering rule for DNS flow, for example, and given that the
idea of a packet filterng router is to open up as few ports as
possible, and given that one of the few things useful in a
packet header, for this purpose, are source and destination
ports, how can I write the rule if some DNS lookups
implementatons use one source port range and other use
another port range ? I mean how on earth do you program a
router under such circumstances ?
Einar
>>> Chris Calabrese <christopher_calabresemerck.com>
6/3/99 2:46 pm >>>
Here's what the IANA
(http://www.isi.edu/in-notes/iana/assignments/port-numbers)
has to say on the subject:
The port numbers are divided into three ranges: the Well
Known
Ports,
the Registered Ports, and the Dynamic and/or Private
Ports.
The Well Known Ports are those from 0 through 1023.
The Registered Ports are those from 1024 through 49151
The Dynamic and/or Private Ports are those from 49152
through
65535
Both Well Known Ports and Registered Ports are set aside
for listeners
(the difference between them has to do with the level of
privilege needed in various OS's to access different port
numbers). It's the
Dynamic ports that programs are supposed to use to
connect _from_.
Therefore, the only stance we can take on this based on the
RFC's is that the firewall should allow connections only from
49152-65535.
Experience tells me this isn't going to work.
In most OS implementations, ordinary user processes get
ports above 1023 when asking for a port to call out on, and
privileged processes may request the lower numbered ports.
OS' without the concept of privilege obviously can't follow this
model. Sounds like a pretty weak model to base a firewall
rule on.
Not to mention, why exactly should you care what port the
connection is coming from? Unless you can guarantee that
the connection is coming from a machine you administer,
there's no reason to trust any port more than any other port.
Guaranteeing where the connection came from, in this
context, means either strong/crypto authentication or a very
small number of IP's in address ranges that the firewalls
guarantee come from a particular net segment where you
physically control that net segment and all the paths leading
to it.
-- Chris Calabrese Internet Infrastructure and Security Merck-Medco Managed Care, L.L.C. christopher_calabrese
- Next message: Andrew Gilbert: "Re: Firewall RISKS"
- Previous message: Steven M. Bellovin: "Re: Anybody have a clue why..."
- Maybe in reply to: Will Kempf: "Anybody have a clue why..."
- Next in thread: Ge' Weijers: "Re: Interesting DNS Traffic -Reply -Reply"
- Reply: Ge' Weijers: "Re: Interesting DNS Traffic -Reply -Reply"
This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:18:59 CDT