FSP isn't for us to ban or not ban. It's something to understand
and be aware of in the context of whatever network security policy each
of us is tasked with enforcing. Clearly, if you're at one end of the
spectrum, and are concerned with unauthorized and untraceable export of
data, then FSP's probably something you want to block. If you're not too
concerned about data control it's less of a problem.
Most of the firewalls I've done in the past fell farther towards
the "control everything" side of the spectrum. To me "control everything"
implies "block everything" and that tends to lead towards non-routed
firewalls. Stuff like FSP and IP-over-IP tunnelling are general problems
with the screening router approach to firewall building. I'm not saying
there's anything wrong with screening routers; it all depends on what
you are trying to accomplish.
FSP is a non-issue. The issue is whether your firewall somehow
permits users to send data directly between networks. Implementing a
simple, inefficient reliable stream protocol on top of another packet
oriented service is left as an exercise to the reader - FSP is just an
example of one such. It happens to be an arguably *useful* example.
mjr.
|
|
