[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Traffic selectors, fragments, ICMP messages and security policy problems
Firewalls have their place, but often administrators like to allow all
decrypted traffic in, believing that because it was encrypted, it is
more secure.
A very common policy, especially when the firewall and VPN are
collocated is something like this:
- Allow HTTP and HTTPS to web server + outgoing
- Allow SMTP to SMTP server
- Allow all VPN traffic
- Block everything else
When they're not collocated, you put the firewall closer to the
Internet than the VPN, because it can filter all those gigabits. Such
a firewall can't know what's in the VPN.
This makes sense because VPN traffic is considered "internal" and
therefore can be anything. We want someone in the Paris office to be
able to access all the network resources as if she were in the main
office. Of course, now we know better, and would not like to encrypt
the attacks that the worm that infected her computer is sending out.
This is why VPN has to have its own access control regardless of the
firewall. A case could be made for a pure VPN with no port selectors,
collocated with a dedicated firewall, and that works as long as both
ends are managed by the same administrator. If, however, your policy
is to block NFS, it's a shame that the other side would keep encrypting
and your side would keep decrypting.
On Feb 26, 2004, at 5:00 AM, Bora Akyol wrote:
>
>> - by restricting access via an SA to a well known set of
>> ports, relative to a specific address or set of addresses, one can
>> reduce opportunities for attacks against the hosts or servers. think
>> of this as a way to close off access to inappropriate ports, and to
>> prevent malicious software that may have taken over a machine from
>> being able to use that machine to launch attacks against other
>> machines, at least for some classes of attacks. the worm that
>> attacked IIS and spear via e-mail from web servers was the example I
>> cited earlier.
>
> It is hard to speak without knowing the complete network architecture
> and application, but for what is described here, a firewall
> may be more appropriate.
> Much easier on the server since it offloads
> filtering from the server to the firewall and current
> breed of firewalls are capable of multi gigabit speeds
> for doing access control and filtering and stateful inspection.