RE: Traffic selectors, fragments, ICMP messages and security policy problems

["Bora Akyol" <bora@cisco.com>]

> 	- by restricting access via an SA to a well known set of 
> ports, relative to a specific address or set of addresses, one can 
> reduce opportunities for attacks against the hosts or servers. think 
> of this as a way to close off access to inappropriate ports, and to 
> prevent malicious software that may have taken over a machine from 
> being able to use that machine to launch attacks against other 
> machines, at least for some classes of attacks. the worm that 
> attacked IIS and spear via e-mail from web servers was the example I 
> cited earlier.

It is hard to speak without knowing the complete network architecture
and application, but for what is described here, a firewall
may be more appropriate. 
Much easier on the server since it offloads
filtering from the server to the firewall and current
breed of firewalls are capable of multi gigabit speeds 
for doing access control and filtering and stateful inspection.

Also, the worms and the general classes of zombies want to speak to
the server on a legitimate well-known port. 

If the network architecture
is such that the server wants to talk a subset of the intranet/Internet,
then it is easier to put the server behind a firewall/IDS system. If 
it is intranet alone, and switches are involved, VLANs can also be used,
provided that the routing is set-up correctly.

> 
> As for high speed, I concur with Mark.  For my DoD clients, the 
> intent is to be able to take advantage of these access control 
> facilities over a wide performance range, not to have to tradeoff 
> access control features vs. interface speeds.

Agreed as long as the features are not frivilous.

--
Bora