On Mon, 24 Jul 2000, mouss wrote:
> >UDP is not as _reliable_ as TCP, but IMHO its no more difficult to
> >secure unless you are talking static packet filters. With any other
> >firewall technology, its no worse or better.
>
> uhum?! You're getting too generc here, no? and generic is generally false...
> A service is not secure simply because it uses TCP instead of UDP.
Hummm, isn't that what I said? No better or worse...
> many firewall vendors, just because they have nothing to sell for UDP, simply
> say "heh, but UDP cannot be secured anyway. let's talk about our super TCP
> filter/proxy".
Actually, don't really agree here. For example FW-1 maintained state on
UDP long before they where stateful for TCP. Also, I think its more of a
service thing. TCP is sexy because so many services rely on it. Need
drives the market and all of that.
> and after all, what will a stateful packet filter like the one in FW1 will
> do against an http tunnelled content attack?
Actually, you are beyond the ability of statful filtering and would need
to kick in Steteful Inspection. FW-1 _does_ have the ability to screen
HTTP however:
1) Its not very flexible
2) Its easy to fool
> what will the Gauntlet's proxies do against things like the
> I love you" attack?
This goes back to my earlier argument. An app proxy has the _ability_ to
check content and spit out everything you don't want to let
through. Limitations are:
1) What did the vendor deploy
2) How good is the code
For example if the mail proxy is based on an old version of Sendmail your
going to have a difficult time screening attachments. ;)
> UDP certainly introduces some programming problems, but these are
> programming problems,
Actually, the problems revolved around how some of the UDP based services
where implemented. For example DNS servers using a source _and destination
port of UDP/53. In the static packet filter days, this was a b*tch because
you had to open UDP/53 inbound to receive replies. This also meant that
external people could poke your DNS server. Maintaining state eliminates
this problem.
> anyway, there is no point in suppressing UDP, unless one suppresses the
> whole IP.
Agreed. This needs to be handled on a service by service basis.
Cheers,
Chris
--
**************************************
[EMAIL PROTECTED]
* Mastering Cisco Routers
http://www.amazon.com/exec/obidos/ASIN/078212643X/
* Mastering Network Security
http://www.amazon.com/exec/obidos/ASIN/0782123430/
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
