[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Traffic selectors, fragments, ICMP messages and security policy problems
I'll mention my example, again, as to why port fields are
appropriate, and add a n ote on performance:
- by restricting access via an SA to a well known set of
ports, relative to a specific address or set of addresses, one can
reduce opportunities for attacks against the hosts or servers. think
of this as a way to close off access to inappropriate ports, and to
prevent malicious software that may have taken over a machine from
being able to use that machine to launch attacks against other
machines, at least for some classes of attacks. the worm that
attacked IIS and spear via e-mail from web servers was the example I
cited earlier.
As for high speed, I concur with Mark. For my DoD clients, the
intent is to be able to take advantage of these access control
facilities over a wide performance range, not to have to tradeoff
access control features vs. interface speeds.
Steve