[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Filtering (RE: Traffic selectors, fragments, ICMP messages and security policy problems)

To: "'Yoav Nir'" <ynir@checkpoint.com>
Subject: Filtering (RE: Traffic selectors, fragments, ICMP messages and security policy problems)
From: "Bora Akyol" <bora@cisco.com>
Date: Thu, 26 Feb 2004 07:54:02 -0800
Cc: <ipsec@lists.tislabs.com>
Importance: Normal
In-reply-to: <DBF76E7E-6829-11D8-9E58-000A95834BAA@checkpoint.com>
Sender: owner-ipsec@lists.tislabs.com

The point that I was trying to make is that you can offload
filtering on a per port basis from the end node (server in this case)
to the network element that it is connected to. For example,
if the server is connected to a switch or router, you can
install a filter on that port so that the server 
never even sees the traffic. Of course this only works in 
a well-controlled environment where we know precisely
the network information for the nodes in the network
that will communicate with each other. This also allows more
legitimate traffic to utilize the link since the filtered traffic
never even gets on the link to the server.

I do agree with your statements about the other uses
of the firewall.

Thanks

Bora

References:
- Re: Traffic selectors, fragments, ICMP messages and security policy problems
  - From: Yoav Nir <ynir@checkpoint.com>

Prev by Date: Re: Traffic selectors, fragments, ICMP messages and security policy problems
Next by Date: Re: [Cfrg] Re: your mail
Previous by thread: Re: Traffic selectors, fragments, ICMP messages and security policy problems
Next by thread: Re: Traffic selectors, fragments, ICMP messages and security policy problems
Index(es):
- Date
- Thread