Re: Traffic selectors, fragments, ICMP messages and security policy problems

[Tero Kivinen <kivinen@iki.fi>]

Stephen Kent writes:
> 	- by restricting access via an SA to a well known set of 
> ports, relative to a specific address or set of addresses, one can 
> reduce opportunities for attacks against the hosts or servers. think 
> of this as a way to close off access to inappropriate ports, and to 
> prevent malicious software that may have taken over a machine from 
> being able to use that machine to launch attacks against other 
> machines, at least for some classes of attacks. the worm that 
> attacked IIS and spear via e-mail from web servers was the example I 
> cited earlier.

For that kind of cases the separate non-first fragment SA is ok, as
your different policies are either encrypt with XXX or drop, i.e. you
do not have pass through in clear rule.

Immediately when you have pass through in clear rule which sents some
traffic in clear, then you needs to select whether the non-first
fragments are going to use the encrypt with XXX rule or pass through
in clear rule, and if the reason for pass through in clear was
performance issues, then you propably cannot encrypt the non-first
fragments. 

> As for high speed, I concur with Mark.  For my DoD clients, the 
> intent is to be able to take advantage of these access control 
> facilities over a wide performance range, not to have to tradeoff 
> access control features vs. interface speeds.
-- 
kivinen@safenet-inc.com