-----BEGIN PGP SIGNED MESSAGE-----
[I had to reformat your very long line text]
manuel> My point was that a firewall shouldn't have many inbound
manuel> ports open anyway. The ones that are open are probably
It doesn't open 64k ports. That would be silly and
wasteful. It has one port open that listens to all ports not
otherwise listened to.
Remember: it runs on a secure OS, with a modified
TCP/IP stack. It used to ship with all relevant vendor
patches installed, and it used to install from CD. Expecting
users to install a dozen vendor patches before the firewall,
is not a good idea, nor is installing the whole OS!
I understand that the NT and Solaris versions have changed
this... one reason why I can't recommend it anymore. The
only firewall that I know of that ships with the OS included
is now Secure Computing/BorderWare.
One feature of BlackHole (I'm sorry. The new names suck)
is that is allows one to write a rule that allows all
services. So a policy might read:
use telnet or HTTP for single sign on.
once signed on ("transparent mode"), allow all outgoing services.
BUT, no HTTP to www.playboy.com, and
no IRC during business hours.
no Pointcast ever, due to bandwidth and security considerations
manuel> previous mail. What they are saying is that if you have a
manuel> hole in your firewall it will be harder for the attacker to
manuel> find it. I still think the hole shouldn't be there to start
manuel> with. Besides, what they are doing can be done with any
manuel> other firewall anyway (you can define ACL's for all the
manuel> ports if you want). But it can be avoided as well.
There are two ways to avoid giving away your security
policy:
1. try and always return RST to intruders as if the service was not there.
but, you have to connect to legitimate people, so
you risk false *negatives* which is a denial of service.
2. always bring up a connection, providing false positives.
At one point, however, a SYN scan would cause the log
system to go overboard, and it would take several hours to
catch up. I think this got fixed by detecting the scan
earlier.
I do not believe that there any defense against SYN
spamming, despite claims by Milkyway Networks. It would be
easy for them to add, since they already have the TCP/IP
stack source.
:!mcr!: | Network security programming, currently
Michael Richardson | on contract with SSH IPSEC (http://www.ssh.fi/)
WWW: <A HREF="http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html";>mcr @
sandelman .
ottawa .
on .
ca</A>. PGP key available.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface
iQB1AwUBNDPXKKZpLyXYhL+BAQHsQAL9GzNed4qW6CpMxp/rzRCtFe3vK5l/35lY
T4U849dnehOeU/HaAgDIxzZ0VvsDwTUUhhUg4qEryWBdIjrZAB5i38szv9oHRg2v
/8cZeCd+8qPz7X1goE6/Y0ORwjVAo1HQ
=OKMX
-----END PGP SIGNATURE-----
|
|
