Great Circle Associates Firewalls
(October 1992)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: Filters and interfaces.
From: Amos Shapira <amoss @ cs . huji . ac . il>
Date: Mon, 05 Oct 92 21:17:17 +0200
To: Michel Fingerhut <Michel . Fingerhut @ ircam . fr>
Cc: firewalls @ GreatCircle . COM
In-reply-to: Your message of Mon, 5 Oct 1992 18:32:33 +0100 . <199210051732 . AA12953 @ vaslav . ircam . fr>

In message <199210051732 .
 AA12953 @
 vaslav .
 ircam .
 fr> you write:
|smb @
 ulysses .
 att .
 com writes:
|
|> Cisco routers filter on output, not input, a serious disadvantage for
|> security purposes.
|
|Yes, but since they filter on both interfaces, the internal and
|external ones, "filtering on input" on one interface is achieved
|by "filtering on output" on the other one.  This is feasible and
|that's how we do it.

You clame you are using it so I guess you can testify about this:

Wouldn't it be easier for you in some cases to filter packets at one
concentrated point on arrival rather than checking for them separatly on
each and every interface before sending them away?  Not only the configuration
might be simpler but also I think you gain some performance since the router
won't waste cycles deciding about a route for a packet it's going to discard
anyway.

Brad Chapman describes in his (excellant, IMO) paper about the advantages
of packet filtering how this could help.  There must be better places to
fetch it from but if you want a copy is available on ftp.huji.ac.il directory
pub/doc/firewalls file pkt_filtering.ps.Z (this site is in Israel, so please!)

To give you a specific example: our net is 132.65.x.x and we have a Cisco as
a gateway.  It's Ethernet Interface 2 is the fiber link to outside.  Any
packet coming on this link claiming to be originating from 132.65.x.x is
certainly false, if I could check this on Interface 2 then I don't need
to check for this on the other interfaces, get the idea?  Of course you
can say this is a little gain but I guess people can come up with more
convincing examples.

Chirio

--Amos Shapira

CS System Group, Hebrew University, Jerusalem, Israel
amoss @
 cs .
 huji .
 ac .
 il



References:
Indexed By Date Previous: Re: Sales Hype and Defenestrated Dead Chickens
From: "John B. Brown" <jbb @ flare . cs . umb . edu>
Next: Re: Reverse and double-reverse IP address lookups as service prerequisites
From: Aydin Edguer <edguer @ alpha . CES . CWRU . Edu>
Indexed By Thread Previous: Re: Filters and interfaces.
From: Michel Fingerhut <Michel . Fingerhut @ ircam . fr>
Next: Re: Filters and interfaces.
From: smb @ ulysses . att . com

Google
 
Search Internet Search www.greatcircle.com