> > I think you are missing something here. The trust is based (IMHO) not only
> > on a risk assessment of IP spoofing and the machines security BUT of the
> > danger if those assumptions prove to be false. IE What happens in the worst
> > case scenerio. With source port filtering you can limit the damage, I am
> > fairly confident that those nasty archie packet/prospero packets can be
> > dealt with. I am much more concerned with letting those telnet and RPC
> > packets thru.
>
> No, I think you missed my point. If indeed the machine is compromised
> (however unlikely) then limiting your source port filter to the archie port
> buys you very very little.
I disagree with your term "very very little". It is misleading and
inaccurate.
First, there are different levels of compromise. Not all types of
compromise immediately yield root access. Without root access on the
system the intruder cannot usurp the archie/prospero port 191.
Second, there are different levels of intruder. Just because an
intruder has acquired access to root on the system does not mean
they will use the archie/prospero port to try to break into other
systems. They may simply use telnet - which will fail if we use
source port rather than source address.
> It is trivial for me to write a telnet program or RPC-attack-program that
> uses the archie server port as a source port.
True. But if you are filtering on source port _and_ limit connections
to destination ports > 1024 then a telnet attack/RPC attack, even from the
archie/prospero port, will fail.
> If many people do trust archie source ports on these servers and allow them
> through their firewalls, then those archie servers become valuable targets
> for crackers. All I have to do is break into that machine and compile my
> telnet and voila I can get into many networks.
Maybe. But there are many maybes in life...
[possible]
Maybe telnetd has been replaced by a daemon that required SecureID
authentication from a known IP address.
[unlikely but not completely unheard of]
Maybe there is a bug in a router vendors filtering that will
let packets that are 1500 bytes long from port 65535 through.
The point is ...
source port filtering in addition to source addresses is better than
simply using source addresses. Using source port/address filtering
in addition to other filtering can be a big win.
... And the absence of source port filtering can be a big lose in a
world where the object of a network is to provide services to users.
References:
|
|
