Great Circle Associates Firewalls
(December 1995) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: Firewall-1, any hints or gotcha's in it's installation??
From: Brain21 <brain21 @ montag33 . residence . gatech . edu>
Date: Thu, 21 Dec 1995 17:27:38 -0500 (EST)
To: Craig Anderson <craiga @ Ipsilon . COM>
Cc: Firewalls @ GreatCircle . COM
In-reply-to: <199512212019 . MAA08316 @ mailhost . Ipsilon . COM> 
On Thu, 21 Dec 1995, Craig Anderson wrote:

> 
> If you don't allow any packets to land on the firewall (all services
> are provided by other machines on the DMZ) then there is no risk to
> the firewall itself.  The DMZ machines are at risk, but they are in
> captivity and can't get too far.  But I don't let packets land on
> the firewall from either inside or out; it only routes within the
> constraints of the filters.
> 
What if you get a filter wrong?  What about IP in IP attacks?  If 
something is encapsulated and gets through the firewall by means of a 
"legal" connection according to the firewall, then the header is stripped 
and sent off from INSIDE.  If there is a way to protect against that 
BEFORE it gets inside I would like to know.  AFAIK, packet filters and 
proxies filter on the packet headers, and NOT on the data contained w/i.

Thanks,

Brain21
Follow-Ups:
References:
Indexed By Date Previous: Proxy v. Packet Filter
From: rex @ staff . cs . su . oz . au (Rex di Bona)
Next: Firewalls-Digest V4 #716 -Reply
From: "Boni D. Bruno" <BONIB @ smtpgw . dswnet . com>
Indexed By Thread Previous: Re: Firewall-1, any hints or gotcha's in it's installation??
From: Craig Anderson <craiga @ Ipsilon . COM>
Next: Re: Firewall-1, any hints or gotcha's in it's installation??
From: Brain21 <brain21 @ montag33 . residence . gatech . edu>
Google
 
Search Internet Search www.greatcircle.com