[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Last Call: Security Architecture for the Internet Protocol to Proposed Standard
Phil Karn wrote:
| Interesting examples. A firewall that filters on port numbers is a
| security hack that is obviated by IPSEC. If I give you the means to
| authenticate every packet you let into your network, doesn't that
| eliminate the need for a conventional packet filter?
It does not. I may well want to control packets entering my
network by destination. Authenticating the inbound packets does not
provide this. However, its a poor security policy which exposes some
ports on an insecure machine to attack.
A packet screen is a useful line of defense for a network, and
preventing unauthenticated, and/or packets going to unacceptable
destinations is a useful way to reduce your security exposure to the
internet. So usefulness of a packet filter is not eliminated.
| Actually, an IPSEC gateway can *augment* a packet filter. Instead of
| making ad-hoc filtering decisions on unauthenticated header
| information that can easily be spoofed, you can make them on the basis
| of cryptographic authentication that tells you -- quite reliably --
| WHO sent you this packet in addition to WHAT he sent you. Isn't that
| what you really want to know?
I agree wholeheartedly here. If port filtering is an
essential part of your security scheme, I'd suggest either redesigning
your scheme, or tunnelling to the firewall, decrypting, and then
making your filtering decisions.
Adam
--
"It is seldom that liberty of any kind is lost all at once."
-Hume
References: