>
> Suppose that you have a user who goes on travel and wants to telnet in to his
> machine FOO from remote host BAR.
The easiest way to fix this is by policy;) No incoming connections.
> To allow this, the packet filtering
> firewall must allow in port 23 from BAR to FOO. Now, there are two ways to
> get around this type of authentication:
>
> a) IP address spoofing - i.e. pretend that you are host BAR
> b) Get access to host BAR, and telnet in
>
> The latter of the two is particularly nasty because it's probably not that
> difficult. Using a packet filter, and IP based authentication, when you
> trust host BAR you also implicitly trust all of the hosts that BAR trusts,
> and all that those hosts trust, etc, etc. Breaking into any one of the hosts
> in that web of trust means access to your inside machines.
>
> The biggest problem with packet filter based firewalls is the basic trust in
> IP addresses for authentication. Now, I don't know anything particular about
> FW-1, although I've been told several times that it handles UDP in a
> reasonable fashion (OK, so call me skeptical). Nevertheless, without strong
> USER authentication at the firewall, it isn't anything more than a fancy GUI
> packet filter, which is inherently less secure than an application level
> gateway.
So what if you had something that listened on port 23 on the firewall, did
reasonable authentication either via an encrypted channel with exchange of
public keys, or via a single key method. Once authenticated you'd be
able to back proxy to where you wanted to go. This, I believe is a good
way to go, there's a real synergy between things like this and a "I hate
to say just packet filter, since FW-1 does some application stuff," packet
filter.
>
> Of course, if your packet filter is one where absolutely NO inbound traffic is
> allowed, and you trust your internal users, then I'd be inclined to say that a
> packet filter is no less secure than an app-gateway. However, as soon as you
> want to allow inbound traffic, the game is up, and the security of the packet
> filter breaks down.
I'd like a combination of free outgoing via the packet filter, and incoming
via some sort of authenticated channels.
Nothing here shows any hole implicit in FW-1 though. (You know it's funny
that FW-1 is most often complemented for their GUI in reviews, but I found
it completely non-intuitive. I thought it was one of the worst designed
user interfaces...just trying to figure out how to apply a change to a
filter was bizarre.)
Patrick
_______________________________________________________________________
/ These opinions are mine, and not Amdahl's (except by coincidence;). \
| (\ |
| Patrick J. Horgan Amdahl Corporation \\ Have |
| patrick @
amdahl .
com 1250 East Arques Avenue \\ _ Sword |
| Phone : (408)992-2779 P.O. Box 3470 M/S 316 \\/ Will |
| FAX : (408)773-0833 Sunnyvale, CA 94088-3470 _/\\ Travel |
\___________________________O16-2294________________________\)__________/
|
|
