Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > NFR Wizards> 1999_2

NFR Wizards Archive: Re: Interesting DNS Traffic -Reply

Re: Interesting DNS Traffic -Reply

Chris Calabrese (christopher_calabresemerck.com)
Thu, 03 Jun 1999 09:46:14 -0400

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: Michael H. Warfield: "Re: Anybody have a clue why..."
Previous message: Ge' Weijers: "Re: IMAP- how to protect a server?"
In reply to: Aaron D. Turner: "IMAP- how to protect a server?"

Here's what the IANA
(http://www.isi.edu/in-notes/iana/assignments/port-numbers) has to say
on the subject:

     The port numbers are divided into three ranges: the Well Known
     Ports,
     the Registered Ports, and the Dynamic and/or Private Ports.

The Well Known Ports are those from 0 through 1023.

The Registered Ports are those from 1024 through 49151

The Dynamic and/or Private Ports are those from 49152 through
65535

Both Well Known Ports and Registered Ports are set aside for listeners
(the difference between them has to do with the level of privilege
needed in various OS's to access different port numbers). It's the
Dynamic ports that programs are supposed to use to connect _from_.
Therefore, the only stance we can take on this based on the RFC's is
that the firewall should allow connections only from 49152-65535.
Experience tells me this isn't going to work.

In most OS implementations, ordinary user processes get ports above 1023
when asking for a port to call out on, and privileged processes may
request the lower numbered ports. OS' without the concept of privilege
obviously can't follow this model. Sounds like a pretty weak model to
base a firewall rule on.

Not to mention, why exactly should you care what port the connection is
coming from? Unless you can guarantee that the connection is coming
from a machine you administer, there's no reason to trust any port more
than any other port. Guaranteeing where the connection came from, in
this context, means either strong/crypto authentication or a very small
number of IP's in address ranges that the firewalls guarantee come from
a particular net segment where you physically control that net segment
and all the paths leading to it.

--
Chris Calabrese
Internet Infrastructure and Security
Merck-Medco Managed Care, L.L.C.
christopher_calabresemerck.com

Next message: Michael H. Warfield: "Re: Anybody have a clue why..."
Previous message: Ge' Weijers: "Re: IMAP- how to protect a server?"
In reply to: Aaron D. Turner: "IMAP- how to protect a server?"

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:18:59 CDT