To hide a network:
the point is not not to propagate routes, but to inhibit the
router's public interface in responding to icmp echo requests.
Maybe I misunderstood your term 'source filtering': I refer it to
filtering packets that are sourced within a router. It is easier to
apply such a filter on one place instead of having to repeat it on
every interface that is there, and to maintain this when the
interfaces are reconfigured in individual host.cfg files instead of
one network.cfg file for all (sourced packets only if for all
interfaces or all routers on the same interface, which is not really
enforceable).
The facilitation is not to have to watch interface subcommands for
common interdictions, but to put the filter 'behind' the router's
packet source (from where stuff generated by the router itself is
filtered globally for the whole box).
If you mean filtering of incoming packets instead of outgoing
packets, there I agree with the Cisco opinion that it is not
necessary. You can always write an equivalent filtering topology for
only incoming filtering, or only outgoing filtering, giving the same
results. Cisco's 'established' mechanism allows here for efficient
ftp filtering. I am using it and it works: from outside you cannot
ftp but from the inside there are no restrictions.
One thing I see in the messages is the problem of 'trust': my view
is, that it is necessary to have a level of trust at least towards
the people within the trusted domain. That trust is there anyways
even without networks. There are many ways of transporting
confidential information out of a company without using a traceable
computer network. MOst companies do not employ sophisticated
security towards the employees, so why then doing this on the
network.
There is no defense against collaborating people that bring up a
server with a certain socket and make thus available all data on
their workstation, including anything that is mounted.
As is no defense against people that carry out drawings or documents
'to work at home on it'.
There are of course high security departments. But those have no
direct network access anyways (that's where the employees' bags and
pockets are searched before leaving the development/engineering
area).
In my opinion, I would prefer to have someone use an IP network to
compromise company confidentiality, since pretty much everything is
traceable. This does not mean that every packet must be screened.
Traffic statistics, suspicious traffic patterns, or all of a sudden
lots of outgoing traffic from somewhere from where it is not useful,
nor the habit, can trigger second level checks and, if proven
necessary, tight supervision, up to tracing.
The difficulty of protecting agains consenting and cooperating
employees in 'spy' cases should be obvious if you look at the best
and secure facility you could think of: CIA.
Mike
|
|
