On Thu, 21 Dec 1995, Craig Anderson wrote:
> If you don't allow any packets to land on the firewall (all services
> are provided by other machines on the DMZ) then there is no risk to
> the firewall itself. The DMZ machines are at risk, but they are in
> captivity and can't get too far. But I don't let packets land on
> the firewall from either inside or out; it only routes within the
> constraints of the filters.
What if you get a filter wrong? What about IP in IP attacks? If
something is encapsulated and gets through the firewall by means of a
"legal" connection according to the firewall, then the header is stripped
and sent off from INSIDE. If there is a way to protect against that
BEFORE it gets inside I would like to know. AFAIK, packet filters and
proxies filter on the packet headers, and NOT on the data contained w/i.