Great Circle Associates Firewalls
(July 1994) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: UDP thru Firewall (Was: Prospero protocol and filters)
From: Marcus J Ranum <mjr @ tis . com>
Date: Thu, 21 Jul 94 15:50:05 EDT
To: kenj @ group1 . com, plarkin @ iphase . com
Cc: firewalls @ GreatCircle . COM 
>My understanding is letting in udp packets on ports >1023 is generally
>safe, as the only listeners on those ports are clients such as archie
>waiting for a specific response.

	This is becoming a standard lecture, and I'm starting to
sound like a broken record, but please bear with me.

	What is "safe"?

	When someone writes "letting in udp packets on ports >1023
is generally safe" they are implicitly performing a risk analysis
for you. There are many many cases where it is indeed sae to let
in UDP packets on ports > 1023; there are also many cases where it
is not at all safe to let in (or out) any UDP whatsoever -- or
even any traffic whatsoever.

	Before you know what "safe" is, you need to decide what
you're protecting, how important it is to protect it, how likely
someone is to try to attack/steal/mess with it, and how hard
they are likely to try. Then factor in how much it will hurt
you if they succeed. ONLY THEN can you say anything meaningful
about what constitutes a "safe" operation. [And what you'll
find is that "safe" == "acceptable risk"]

	If you're protecting launch codes for nuclear missiles,
you computing security practices should (please, please!) be
different from your computing security practices if you're
protecting a bunch of undergraduate CS homework.

	Don't take this as a slam at Ken Jones (the person I
am following-up to) -- this is a common problem and it cuts
both the questioner and the person responder equally. If I
post and ask:
	"I am connecting to the internet, is it safe to use
a router and screen off incoming telnet?"
	I'm every bit as inaccurate as the person who replies:
	"Sure! That's pretty safe!"

	If I post and ask:
	"I am connecting my nuclear reactor in New York City to the
internet, so I can control it from my fallout-proof blockhouse in
Montana. Since my user interface is X based, is it safe for me to
let X through my screening router?"

	Presumably, anyone in New York would be in a position to
give a more informed response about what is "safe" in this context.
Context is *EVERYTHING* in this game!!

mjr.
Indexed By Date Previous: Firewalls
From: "Kenneth Aveirls" <KAVEIRLS @ PHSATL . SSW . DHHS . GOV>
Next: Re: UDP thru Firewall (Was: Prospero protocol and filters)
From: nreadwin @ london . micrognosis . com (Neil Readwin)
Indexed By Thread Previous: Re: UDP thru Firewall (Was: Prospero protocol and filters)
From: Brent Chapman <brent @ mycroft . GreatCircle . COM>
Next: Re: UDP thru Firewall (Was: Prospero protocol and filters)
From: smb @ research . att . com
Google
 
Search Internet Search www.greatcircle.com