> We have a screend filter (from DEC).
> In the Firewalls and Internet Security book on p. 66 it says that with
> screend there is no protection against address-spoofing.
The issue is that screend (like many screening systems)
doesn't have the ability to filter based on where the traffic CAME
from rather than from where it CLAIMS to come from. Newer versions
of routers can do this, and I STRONGLY RECOMMEND that anyone with
a router-based firewall upgrade their ROMs.
Suppose I have a screening router with 2 interfaces, le0 and
le1, where le1 is the "outside" and le0 is the "inside". Suppose my
inside net is 192.33.112 and I tell the router it can "route anything
from 192.33.112 to anyplace" but "only allow incoming traffic to
go to my bastion 192.33.112.117" -- the flaw in the system is that
the router has no idea if the traffic came in on le0 or le1. What
if I have someone fake a packet so it comes in on le1 (the outside)
claiming to come from 192.33.112.110, which the bastion trusts?
OOOOoooops.
You could get around this by more restrictive rules, but
the easiest way to do it would be to be able to tell the router
"if you get traffic in le1 claiming to come from 192.33.112.* it
is FAKE, call the police" :) After all, no real machines from
net 192.33.112 will be on the *OUTSIDE*, right?
mjr.[Look what a nerd I am, reading firewalls on my vacation]
Follow-Ups:
-
Re: screend
From: "Jim.Shaw" <Jim .
Shaw @
actrix .
gen .
nz>
-
Re: screend
From: robp @
anubis .
network .
com (Rob Peglar)
References:
-
screend
From: jon @
nytimes .
com (Jon E. Price)
|
|
