MICHAEL NITTMANN <NITTMANN @
UWLAX .
EDU> writes:
>If you mean filtering of incoming packets instead of outgoing
>packets, there I agree with the Cisco opinion that it is not
>necessary. You can always write an equivalent filtering topology for
>only incoming filtering, or only outgoing filtering, giving the same
>results. Cisco's 'established' mechanism allows here for efficient
>ftp filtering. I am using it and it works: from outside you cannot
>ftp but from the inside there are no restrictions.
I disagree. The assumption here is that I only have a single interface
feeding some network, for example a link to the Internet. What if I
have other networks, each of which need (at least a modicum of) protection
from each other.
For example, what if I have a router connecting to:
the internet
the R&D subnet
the Human Resources subnet
the Accounting subnet
Each of these will likely need some level of screening; otherwise, people
in R&D could find out how much their peers earn, and how often they were
sick.
If you only filter on an incoming (or outgoing) interface, you need more
routers. Now we router vendors LOVE to hear that, but it's not really
very practical for most people.
- Ted
--------------------------------------------------------------------------
Ted Doty, Network Systems Corporation | phone: +1 301 596-2270
8965 Guilford Road, Suite 250 | fax: +1 410 381-3320
Columbia, MD, 21046 USA | voice mail: (800) 233-1485
--------------------------------------------------------------------------
if (setsockopt(skfd,SOL_SOCKET,STD_DISCLAIMER,(char *), &sbuff,&optlen) < 0)
printf ("Standard Disclaimers Apply ...\n");
|
|
