Great Circle Associates Firewalls
(June 1994) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: Cisco software update?
From: Brad Passwaters <bjp @ is000796 . bell-atl . com>
Date: Thu, 02 Jun 94 13:47:02 -0400
To: David Carrel <carrel @ cisco . com>
Cc: Brent Chapman <brent @ GreatCircle . COM>, firewalls @ GreatCircle . COM
In-reply-to: Your message of "Wed, 01 Jun 94 20:39:03 PDT." <199406020339 . UAA03352 @ large . cisco . com> 
> > Take, for
> > example, Archie service.  Now, there are only 5 Archie servers in the
> > U.S.  I'm reasonably willing to trust that these 5 machines are
> > well-run, and that someone isn't going to be able to get onto one of
> > these machines and substitute something else in place of the Archie
> > server in order to attack little old me (if they did, I'm sure
> > somebody notice in a real hurry, when Archie stopped working).  If a
> > packet comes in with a source address of one of these 5 machines and a
> > source port of 1525 (the archie server port), I'm willing to believe
> > it (unless I'm building a firewall for a _really_ paranoid site).
> 
> If indeed you are so willing to trust this machine, then I suggest that you
> should trust ANY source port on it.  If that sounds disconcertingly
> dangerous, then you need to rethink whether or not trusting the archie
> source port was a good idea in the first place.  To trust ANY source port,
> you must trust that the IP address is not spoofed, that the machine has not
> been compromised, and that the admins are trustable.  If any one of those
> was not true, would you still want to trust ANY port.  If the answer is
> "no", then you can not trust ANY port and that includes the archie server
> port.

I think you are missing something here. The trust is based (IMHO) not only
on a risk assessment of IP spoofing and the machines security BUT of the
danger if those assumptions prove to be false.  IE What happens in the worst
case scenerio.  With source port filtering you can limit the damage, I am
fairly confident that those nasty archie packet/prospero packets can be
dealt with. I am much more concerned with letting those telnet and RPC packets
thru. You should only give as much trust to a host as it needs to do
what you want it to do. 


Brad Passwaters					bjp @
 nsm .
 bell-atl .
 com
BAINET Technical Services 			bf5t0p6 @
 bell-atl .
 com (OSIN)
Voice:301-236-6221				FAX:301-236-1061
-------------------------------------------------------------------------------
"...and he never wondered what was right or wrong, he just knew, he just knew"
        David Crosby and Phil Collins "HERO"
Follow-Ups:
References:
Indexed By Date Previous: Re: Router Preference
From: Urban Surfer <HOLDREGE @ DCV4KD . PHS . COM>
Next: Re: Cisco screening
From: Brent Chapman <brent @ mycroft . GreatCircle . COM>
Indexed By Thread Previous: Re: Cisco software update?
From: David Carrel <carrel @ cisco . com>
Next: Re: Cisco software update?
From: David Carrel <carrel @ cisco . com>
Google
 
Search Internet Search www.greatcircle.com