What is the problem with URG data? Doesn't URG have a perfectly legal place in TCP? If you stripped URG wouldn't that break telnet or some other interactive application? Am I missing something here? Thanks
--- Mikael Olsson <[EMAIL PROTECTED]> wrote: > > "Paul D. Robertson" wrote: > > > > [on stateful inspection firewalls needing to know > about stuff > > that proxies don't] > > Ah, but the point still stands that the packet > filter has to know about > > some frag and other bugs (like URG)- and indeed > has to do things like > > "drop all packets with URG set" because there > might be one unpatched > > client (after the firewall's been updated) rather > than allow legitimate > > URG traffic after the firewall's been patched. > > (Or strip URG data, which is what a proxy usually > would be doing ;)) > > Isn't there an interesting flip-side to this? That > since the firewall > needs to know about all of this (it being properly > upgraded and > professionally administered and all), it can also > trigger alerts on > these events? > > (But on the other hand, the same can also be said > about IDSes with > external sensors, if this hypothetical organization > has paid for it?) > > > On Fri, 5 Apr 2002, Mikael Olsson wrote: > > > Please show me how to divide a corporate > network, with > > > multiple publically accessible servers with > different > > > security ratings, and with back-end servers > accessible > > > from said servers, into ... oh, let's say fifty > different > > > security zones, using any proxy firewall > available today. > > > > 4 Ultra2's with 3 QFEs each (yes, the U2 is EOL, > but that's how I used to > > build them.) Lots of PCs with Linux and open > source proxies. One box > > with lots of proxies and per-ruleset and > per-address block IP to proxy > > mappings. Alternately, IPSEC to the proxies. > That's if you want fair > > seperation, otherwise, just do it in the > rulebases. > > Are you telling me that you've actually set up and > successfully supported > installations like this? (With or without IPSEC to > the proxies?) > > Don't get me wrong; I'm just baffled and would truly > like to know. > > On another note: I think my original question was > more aimed at > commercially available stuff, although I didn't say > that - I know. Open > source is all well and good, given the standard set > of arguments, but > often you also trg gb or fpnerq fuvgyrff ol fbzr > crbcyr'f (ynpx bs) > pbqvat cenpgvprf. But then again, that's all IMHO > and very inflammatory, > hence the ebg13. > > > Regards, > Mikael Olsson > > PS. Yes I know, proxy vs state is a really old topic > and still very > inflammatory and we both know that a combo is the > best way to go. > However, I still think there are a couple of > interesting points left > to hash out. I'll try to stay away from evangelism > and flames if you > do the same, mkay? :) > > > -- > Mikael Olsson, Clavister AB > Storgatan 12, Box 393, SE-891 28 �RNSK�LDSVIK, > Sweden > Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 > 222 05 > Fax: +46 (0)660 122 50 WWW: > http://www.clavister.com > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls __________________________________________________ Do You Yahoo!? Yahoo! Tax Center - online filing with TurboTax http://taxes.yahoo.com/ _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
