> No, I think you missed my point. If indeed the machine is compromised
> (however unlikely) then limiting your source port filter to the archie port
> buys you very very little. It is trivial for me to write a telnet program
> or RPC-attack-program that uses the archie server port as a source port.
> If many people do trust archie source ports on these servers and allow them
> through their firewalls, then those archie servers become valuable targets
> for crackers. All I have to do is break into that machine and compile my
> telnet and voila I can get into many networks.
I understand what you are saying but I'm not sure I agree. In your first
message you said:
If indeed you are so willing to trust this machine, then I suggest that you
should trust ANY source port on it.
My point is that the risk of trusting ANY port on a given machine is MORE
than trusting a single port. Given certain condition exists. Now while
I admit Brent showed my something sneaky I had not considered. (Thanks
Brent :-) I would be willing to wager that anyone who knocked down an
archie server or interfered with it working would be found out VERY
quickly. As another example I would be willing trust NNTP from UUNET
because I have a suspicion that it someone took down there News server to
play games they might notice fairly soon.
> If indeed you are worried about "telnet and RPC packets", then the proper
> course of action (IMHO) is to have your filter match on the destination
> port. The destination port is under your control (you control what is
> listening on that port).
>
No one is saying that we can't use destination filters as well.....
> > You should only give as much trust to a host as it needs to
> > do what you want it to do.
>
> No, you should only place as much trust in a host as you feel you can
> control, or as much as you are willing to allow it free reign. I think
> what you really wanted to say was "You should only allow as much _access_
> to a host as it needs to do it's job." The difference between trust and
> access is that you control access, but you accept trust. It may be
> reasonable for some to trust the few archie servers to "do the right
> thing". But that is a big leap of faith for others.
Interesting point and indeed that may be true but I think that in this
case both trust and access are involved. In some cases destination based
filters are unmanagable.
I don't think people are saying source port filtering is perfect but
that it is a tool for design in complex firewalls WHEN good risk analysis
has been performed.
Brad Passwaters bjp @
nsm .
bell-atl .
com
BAINET Technical Services bf5t0p6 @
bell-atl .
com (OSIN)
Voice:301-236-6221 FAX:301-236-1061
-------------------------------------------------------------------------------
"...and he never wondered what was right or wrong, he just knew, he just knew"
David Crosby and Phil Collins "HERO"
References:
|
|
