Brent,
Wow, my mistake!! I assumed after all your talk on the firewalls list
about not starting flame wars that I could respond to your mail with a
serious technical question without starting up the namecalling. I was
looking for reasons for why source port filtering is desireable. Trust me,
I have already heard the arguments that cisco is patronizing. Call it what
you like.
'Nuff said!
What I am trying to get on the table here is a discussion of the value of
source ports in filters. In the past when I have had this discussion, I
have either convinced the other person that their security model was less
than they were intending, or we have agreed to disagree. But in all cases
where the discussion was left at a point of disagreement, I have not been
presented with any argument that didn't involve the "security through
obscurity" argument that I outlined in my previous mail. Some seem to
think that this is better than nothing. Thanks for the comments, I am
listening. But in one-on-one in-depth discussions, very very few people
have not been convinced that source port filtering wasn't what they thought
it was as far as being a tool to complement their firewall.
I have no silly notions that I will convince everyone. But I might learn
something from the discussion. Others might too...
> Take, for
> example, Archie service. Now, there are only 5 Archie servers in the
> U.S. I'm reasonably willing to trust that these 5 machines are
> well-run, and that someone isn't going to be able to get onto one of
> these machines and substitute something else in place of the Archie
> server in order to attack little old me (if they did, I'm sure
> somebody notice in a real hurry, when Archie stopped working). If a
> packet comes in with a source address of one of these 5 machines and a
> source port of 1525 (the archie server port), I'm willing to believe
> it (unless I'm building a firewall for a _really_ paranoid site).
If indeed you are so willing to trust this machine, then I suggest that you
should trust ANY source port on it. If that sounds disconcertingly
dangerous, then you need to rethink whether or not trusting the archie
source port was a good idea in the first place. To trust ANY source port,
you must trust that the IP address is not spoofed, that the machine has not
been compromised, and that the admins are trustable. If any one of those
was not true, would you still want to trust ANY port. If the answer is
"no", then you can not trust ANY port and that includes the archie server
port.
To everyone reading this. Please respond to the issue of source ports
only. All further mail about the whether or not cisco is or isn't the
greatest company in the world will be ignored. ;-)
Dave
----------------------------------------------------------------------------
David Carrel | E-mail: carrel @
cisco .
com
Security Development, cisco Systems | phone: (415) 324-5207
P.O. Box 3075, 1525 O'Brien Dr. | fax: (415) 428-5080
Menlo Park, Ca, 94025-1435 |
----------------------------------------------------------------------------
Follow-Ups:
References:
|
|
