Date: Tue, 01 Dec 92 11:14:18 -0800
From: Rik Farrow <rik @
uworld .
com>
Next several different types of firewalls were delineated:
o packet filtering, performed by a routing device, whether
dedicated router or a workstation with a kernel making this
possible (such as DEC's ULTRIX);
Our PPP/SLIP daemon does the filtering in user space - essentially
inside the packet delivery "device". The only kernel modification is
the "IP tunnel" driver interface. It sure makes debugging easier...
Brent suggested joining the firewalls mailing list ... Currently,
there are about forty digests.
After Brent reminded us of its existence, we joined the list a few
weeks ago. I'm still plowing through the archive, trying to glean
relevant tidbits.
Topics have included filtering behavior of various routers,
application filtering vs. routers, flaws in packet filtering to
date.
While browsing the discussion archive, I'm mainly looking for ways to
critique our approach to the problem. Comments are welcome, of
course. Get ftp.morningstar.com:pub/ppp/user-guide-2up.ps.Z to see
ppp.Filter(5), if you're interested.
There are also some noteworthy products from vendors. Sun offers
itelnet and iftp ... DEC ULTRIX includes screend ...
Ours might be considered useful for some applications, where the thing
to be screened is a point-to-point network connection (anywhere from
dialup to T1). Again, critique is welcomed.
Finally, some questions. Does anybody have a firewall that hasn't
been compromised? (Answer: probably not. Can't stop everyone.)
We had four engineers at this fall's Interop, all of whom had been
involved in the design and implementation of our firewall code. And
we had brought along a copy of the sources on a SPARCbook, so we had
it all there to inspect. But before we left Columbus, we forgot to
open a crack in our home office's firewall that would be big enough to
let traffic flow to our show-floor booth network. Nope, we couldn't
crack it. It was an interesting intellectual exercise for a few days,
but then we decided that we really needed to read our e-mail, so we
dialed in and opened the door just enough.
This is not, of course, an invitation to malevolence, and it certainly
isn't a claim to having constructed a perfectly airtight firewall, but
at least it's a relevant anecdote :-)
Does anybody let UDP packets through firewalls? Never let UDP
through firewalls.
What about DNS and NTP and other such benign stuff? They should all
be handled by a proxy on the firewall or in a DMZ, right?
References:
|
|
