|
Subject: |
Re:Stateful Packet Screens |
|
From: |
Ryan.Russell/SYBASE |
|
Date: |
1 Jul 96 17:07:11 EDT |
|
To: |
firewalls <firewalls @
sybase .
com> |
Hmm.. I don't know about the CC line... sigh, the joys
of Notes mail. Frequently the mail gets there even if
it chews the header. You're not the first to complain about
my mail.
Anyway, in response to your response:
Yes, I allow any app initiated from the inside. (At least,
any that will work with the FW, I only occasionally go
out of my way to make one work that doesn't automatically.)
I don't consider this to be significantly less secure than
a connection with limited allowed apps. My users
are just as capable of hosing themselves with
telnet/http/ftp as with any other new toy. As I mentioned
before, the users would find a way around you. At least
I can log what they are up to, and go back if I find something
nasty has toasted someone's machine.
I suppose the worst case (since my FW doesn't
allow incoming, like just about any FW) would
be that some app, likely a Web thingy, would
do some trojan stuff, and initiate a connection out
from the inside. A proxy would allow that just
as easily.
And yes, of course I would deny based on port.
There is nothing else to base a decision about
service type on. Say you only allow telnet out...
I do a telnet x.x.x.x 80 or 25. Am I running telnet,
or am I running HTTP or SMTP?
Do you have a proxy firewall in place? Do you have
users? Don't they complain about not being able
to use Realaudio?
Ryan
---------- Previous Message ----------
To: Ryan.Russell
cc:
From: peter @ baileynm.com (Peter da Silva) @ smtp
Date: 07/01/96 06:03:22 PM
Subject: Re: Stateful Packet Screens
> To: Peter da Silva <peter @
baileynm .
com>
> Cc: firewalls <firewalls @
sybase .
com>
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Are your messages getting to the list? I'll just reply to you.
> Why "low security" end of the spectrum? Because SPF
> tends to support more app types? I don't believe in
> restricting the kind of data that users can access a
> reasonable form of security.
I call letting any application through by default without evaluating it
for security "low security".
And with a stateful packet filter, I don't see how you can do anything
else without a lot of very complex rules.
> And, it's quite easy for me to deny a particular
> service should I choose to.
OK, how would you set up a default-off environment with a staeful packet
filter, based on protocols (and bearing in mind that destination port
isn't really adequate, since a bandit application could listen to any
port)?
|
|
