Great Circle Associates Firewalls
(July 1994) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: UDP thru Firewall (Was: Prospero protocol and filters)
From: Brent Chapman <brent @ mycroft . GreatCircle . COM>
Date: Thu, 21 Jul 1994 10:06:27 -0700
To: plarkin @ iphase . com
Cc: firewalls @ greatcircle . com
In-reply-to: Your message of Thu, 21 Jul 1994 11:41:13 -0500 (CDT) 
plarkin @
 iphase .
 com (Patrick Larkin Jr) writes:

# In article <9407210641 .
 AA22761 @
 cwa .
 com>, uunet!cwa .
 com!dmurphy @
 iphase .
 com (Dan M
# urphy) writes:
# > Unless I'm mistaken, archie (and xarchie) use UDP, not TCP. Most of the
# > networks belonging to the "anything not permitted is forbidden" school,
# > I believe, tend to drop all UDP traffic as inherently insecure.
# 
# So, what are the risks of letting UDP thru the firewall onto any
# internal machine?  We wanted to use SOCKS to proxy (most) everything
# so that we can get user accounts off our bastion and deny any 
# packet not from the bastion from getting in. This does break archie.

Simply put, most of the "dangerous" RPC-based services (YP, NIS, NFS,
etc.) are UDP-based.  Since RPC-based services aren't tied to fixed
ports, there's no effective way with a standard packet filtering
system to block the ports used by those services; they're going to
vary from machine to machine, and even from reboot to reboot on the
same machine.  You end up blocking UDP altogether (except for tiny
little peepholes for things like DNS, and then generally only between
your bastion host outside the packet filtering system and your DNS
server inside) in order to block all the RPC-based services.

Since it's UDP rather than TCP, you can't do "start of connection" or
"established" filtering; there are no SYN and ACK bits in the headers
to examine to determine whether an incoming UDP packet is initiating a
connection, or is in response to a connection initiated from the
inside.

CheckPoint's new "FireWall-1" packet filtering product takes an
interesting approach to this problem.  When it sees an outgoing UDP
packet from an internal client to an external server, it creates a
temporary (time-limited) packet filtering rule to allow the answering
UDP packets from the server back in to the client.  The rule is
specificly bound to both the client and server host and port, and
times out after a certain period.


-Brent
--
Brent Chapman         | Great Circle Associates  | Call or email for info about
Brent @
 GreatCircle .
 COM | 1057 West Dana Street    | upcoming Internet Security 
+1 415 962 0841       | Mountain View, CA  94041 | Firewalls Tutorial dates
Indexed By Date Previous: Re: Security of Appletalk and Dial back modems
From: Perry The Cynic <perry @ sutr . cynic . org>
Next: Re: UDP thru Firewall (Was: Prospero protocol and filters)
From: ericm @ MicroUnity . com (Eric Murray)
Indexed By Thread Previous: Re: UDP thru Firewall (Was: Prospero protocol and filters)
From: Rens Troost <rens @ imsi . com>
Next: Re: UDP thru Firewall (Was: Prospero protocol and filters)
From: Marcus J Ranum <mjr @ tis . com>
Google
 
Search Internet Search www.greatcircle.com