[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Traffic selectors, fragments, ICMP messages and security policy problems

To: "Bora Akyol" <bora@cisco.com>
Subject: Re: Traffic selectors, fragments, ICMP messages and security policy problems
From: Yoav Nir <ynir@checkpoint.com>
Date: Thu, 26 Feb 2004 09:03:20 +0200
Cc: <ipsec@lists.tislabs.com>
In-reply-to: <007c01c3fc14$a50e9e50$060a0a0a@amer.cisco.com>
References: <007c01c3fc14$a50e9e50$060a0a0a@amer.cisco.com>
Sender: owner-ipsec@lists.tislabs.com

Firewalls have their place, but often administrators like to allow all 
decrypted traffic in, believing that because it was encrypted, it is 
more secure.

A very common policy, especially when the firewall and VPN are 
collocated is something like this:
- Allow HTTP and HTTPS to web server + outgoing
- Allow SMTP to SMTP server
- Allow all VPN traffic
- Block everything else

When they're not collocated, you put the firewall closer to the 
Internet than the VPN, because it can filter all those gigabits.  Such 
a firewall can't know what's in the VPN.

This makes sense because VPN traffic is considered "internal" and 
therefore can be anything.  We want someone in the Paris office to be 
able to access all the network resources as if she were in the main 
office.  Of course, now we know better, and would not like to encrypt 
the attacks that the worm that infected her computer is sending out.

This is why VPN has to have its own access control regardless of the 
firewall.  A case could be made for a pure VPN with no port selectors, 
collocated with a dedicated firewall, and that works as long as both 
ends are managed by the same administrator.  If, however, your policy 
is to block NFS, it's a shame that the other side would keep encrypting 
and your side would keep decrypting.

On Feb 26, 2004, at 5:00 AM, Bora Akyol wrote:

>
>> 	- by restricting access via an SA to a well known set of
>> ports, relative to a specific address or set of addresses, one can
>> reduce opportunities for attacks against the hosts or servers. think
>> of this as a way to close off access to inappropriate ports, and to
>> prevent malicious software that may have taken over a machine from
>> being able to use that machine to launch attacks against other
>> machines, at least for some classes of attacks. the worm that
>> attacked IIS and spear via e-mail from web servers was the example I
>> cited earlier.
>
> It is hard to speak without knowing the complete network architecture
> and application, but for what is described here, a firewall
> may be more appropriate.
> Much easier on the server since it offloads
> filtering from the server to the firewall and current
> breed of firewalls are capable of multi gigabit speeds
> for doing access control and filtering and stateful inspection.

Follow-Ups:
- Filtering (RE: Traffic selectors, fragments, ICMP messages and security policy problems)
  - From: "Bora Akyol" <bora@cisco.com>

References:
- RE: Traffic selectors, fragments, ICMP messages and security policy problems
  - From: "Bora Akyol" <bora@cisco.com>

Prev by Date: RE: Traffic selectors, fragments, ICMP messages and security policy problems
Next by Date: Re: ICMP messages and per-port selectors
Previous by thread: RE: Traffic selectors, fragments, ICMP messages and security policy problems
Next by thread: Filtering (RE: Traffic selectors, fragments, ICMP messages and security policy problems)
Index(es):
- Date
- Thread