On Fri, 22 Jun 2001, Sudipto basu wrote:
> I mean to say without any s/w support a filtering
> technique at router level can not filter those
> packets.
> Is it right. If yes then why.
> I have a book which reads like.
This is very unclear. By the same rational, a router without software
support for 'ip route' can not actually route. A router with no filtering
capabilities can not filter. Does that make sense ?
> "A router alone cannot fully control a stream of IP
> packets, as it can not monitor the state of the state
> of incoming and out going packets, so a some protocols
> like FTp which which use more than one data stream
> present problems for a router based firewalls.
FTP being the worst, security wise, of protocols, you are correct. I would
not trust a packet filter to handle the deed, but depending on what you
are trying to accomplish it may suffice. Some routers (cisco, others) do
support software features to track sessions, even if they are
connection-less in design. For example, you can open a "pinhole" in the
firewall for a DNS query, and close it up after a predetermined period of
time.
> Things get worse when you use a connection less
> protocol like UDP,
> which forms the basis of DNS. In order to control UDP
> streams in a firewall, you need to add some form of
> state monitoring to a packet filter"
See above.
-truman
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
