Great Circle Associates Firewalls
(August 1994) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: ip filtering inbound/outbound
From: greulich @ math-stat . unibe . ch (Andreas Greulich)
Date: Mon, 22 Aug 1994 17:58:05 +0200 (MET DST)
To: firewalls @ greatcircle . com 
Hello all

I'm not sure if this question was already asked, forgive me if so.
I'm wondering about the possibility that routers which seperate
an internal from an external net can filter out ip packets that
physically come from the external network but have a source ip
address that logically seems to be from the internal network
and/or packets phycally from the internal network with logical
source ip addresses from the external network. It surely isn't
enough on a cisco to define an access-list and assigning it
to an interface because it would filter out such packets in
both directions. The background of it is the rsh masquerade
attack described by bellovin and morris (in short, guessing the
other hosts initial sequence number and then imitating an rsh
connection with wrong source ip address). Most people told me
that only very few routers can actually do such direction-
sensitive filtering. When I had a look into cisco docs
recently, I found a command though that seems to accomplish just
this distinction, but I'm not sure if I misunderstood that.
The command is "ip access-group <access-list-number> {in|out}".
In all examples I saw the parameter in|out was omitted - they
write that by using in|out, access lists can be applied on
either inbound or outbound interfaces. Is this the kind of
filter that would protect from wrong source ip addresses or
did I get that wrong? And if so, why isn't the in|out parameter
more ofetn used? Is it maybe a feature that's only present in
newer software releases?

thanks in advance,		Andy

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Andreas Greulich                          University of Berne, Switzerland
----------------                          Email: greulich @
 math-stat .
 unibe .
 ch
                                          Phone home:   (+41 31) 961 7031
                                          Phone office: (+41 31) 631 8809
                                                        (+41 31) 631 4903

        "For each man in his time is Cain
         Until he walks along the beach
         And he sees his future in the water
         A long lost heart within his reach"
                                                  Elton John, "The One"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Indexed By Date Previous: RE: Multi Protocol Firewall?
From: mayer @ ljsrv2 . enet . dec . com
Next: Netlock by Hughes
From: nsaputra @ hea . com (Nancy Saputra)
Indexed By Thread Previous: Pre firewall research
From: "William D. Felling" <MRBILL+aDCPC%JSIDC @ mcimail . com>
Next: RE: ip filtering inbound/outbound
From: ted . doty @ nsco . network . com
Google
 
Search Internet Search www.greatcircle.com