In message <199406020339 .
UAA03352 @
large .
cisco .
com>, David Carrel
writes:
>What I am trying to get on the table here is a discussion of the value of
>source ports in filters. In the past when I have had this discussion, I
>have either convinced the other person that their security model was less
>than they were intending, or we have agreed to disagree. But in all cases
>where the discussion was left at a point of disagreement, I have not been
>presented with any argument that didn't involve the "security through
>obscurity" argument that I outlined in my previous mail. Some seem to
>think that this is better than nothing. Thanks for the comments, I am
>listening. But in one-on-one in-depth discussions, very very few people
>have not been convinced that source port filtering wasn't what they thought
>it was as far as being a tool to complement their firewall.
>
>I have no silly notions that I will convince everyone. But I might learn
>something from the discussion. Others might too...
Some of my sites run authenticated NTP. All of these "connctions" run
on port 123, and they all include appropriate encryption. However
these sites also allow other to chime against them.
If I want to I think I should have the right to set up a filter that says:
block all packets to the ntp port that don't come from port 123
and have the blasted router log
dropped from a.b.c.d port 1980 to 198.127.63.18 port 123
so that I can see that somebody at a.b.c.d is potentially my
cages. Expecially with all of the various little tools to probe ports
out there. This feature is very useful.
Right now I am evaluating using two karl bridges back to back to
provide this functionality (about $2400 US).
-- John
John Rouillard
Senior Systems Consultant (SERL Project) University of Massachusetts at Boston
rouilj @
cs .
umb .
edu (preferred) Boston, MA, (617) 287-6480
==============================================================================
My employers don't acknowledge my existence much less my opinions.
References:
|
|
