Tracy R Reed wrote:
> Neil Schneider wrote:
>> And the fact that developers can't document the network interfaces
>> to
>> their software so that proxies can be built is a failure to
>> understand
>> the requirements of network security. It always seems to be the
>> fault
>> of the security admin because the application is badly behaved and
>> requires that all inbound ports be open to allow it to function.
>> Programmers should be denied the ability to write network software
>> if
>> they can't clearly define which incoming and outgoing ports their
>> application will require.
>>
When I was on the firewalls list and the fwtk list this was a constant
lament. For every well behaved application, there were four that could
use any incoming port from 1024-65535 and expected all the ports to be
open. I don't know if it's changed, but Microsoft netmeeting used to
require that the firewall open huge ranges of incoming ports in order
to function. As a firewall admin, that isn't going to happen.
> I don't think this is the problem at all. The problem is that it is
> very
> nice to be able to use ephemeral ports. But this is directly at odds
> with NAT. SIP, for example, is a very well documented and understood
> protocol. SIP proxies exist. But how can I get every NAT manufacturer
> to
> put a copy of SER in their NAT device and tell the end users how to
> configure their applications to utilize it? And we expect to do this
> with every application non-trivial application?
FTP uses ephemeral ports. You can FTP to my server behind a NAT box.
So what's the problem? You can get manufacturers to include SER if you
demand it, and refuse to buy devices that don't include it. If the
market demands it the manufacturer will supply it.
> NAT has nothing directly to do with security anyway as far as I am
> concerned. The security component of any NAT device is just a packet
> filter. Deny all incoming connections. You can do this without NAT.
>
> At this point I wish HTTP would have been better if it were
> implemented
> such that it did not work with NAT. Then we would all have been forced
> to move to IPv6 a long time ago and this NAT sillyness would have died
> the quick death it so richly deserves instead of making us all suffer
> for years on end.
You may be suffering, I'm not. It has worked for me for many years.
Unfortunately, since I use FreeBSD for my firewall and it hasn't
implimented IPV6to4, I don't have the option yet to use it. You can
use it now on your Linux firewall, if you desire it. Why hasn't it
been implimented in consumer firewalls today?
--
Neil Schneider pacneil_at_linuxgeek_dot_net
http://www.paccomp.com
Key fingerprint = 67F0 E493 FCC0 0A8C 769B 8209 32D7 1DB1 8460 C47D
"When the politicians complain that TV turns the proceedings into a
circus, it should be made clear that the circus was already here,
and that TV has merely demonstrated that not all the performers are
well trained." - Edward R. Murrow
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
