ietf
[Top] [All Lists]

RE: primary purpose of firewalls

2003-06-19 20:19:29
Keith,

Keith Moore wrote:
I believe the primary purpose of firewalls should be to
protect the network, not the hosts, from abusive or
unauthorized usage.
 
Michel Py wrote:
I do not agree with this. The primary purpose of firewalls is
to protect BOTH the network and the hosts.

the reason I disagree is that fundamentally, there's no way
that a firewall can reliably distinguish legitimate traffic
from illegitimate traffic,

This is flat out untrue. Below are a few examples of illegitimate
traffic that my firewall trashed recently.

Jun 16 17:05:38.324 PST: %IDS-4-HTTP_WWW_HOST_FIELD_OVFLOW_SIG:
Sig:5123:WWW Host Field overflow - from 204.116.211.240 to 192.168.1.4

Jun 16 23:22:54.319 PST: %IDS-4-UDP_BOMB_SIG: Sig:4050:UDP Bomb
- from 206.13.31.12 to 209.233.126.65

Jun 18 11:28:58.906 PST: %IDS-4-HTTP_IIS_DOTDOT_EXE_SIG: Sig:3215:
IIS DOT DOT EXECUTE Attack - from 200.38.190.140 to 192.168.1.4


what it cannot do is remove the burden from hosts and
applications to implement reliable security.

This is unexpected coming from you. Look again at the last example I
pasted. Do _you_ suggest that I should trust _that_ vendor to implement
reliable security?



an intermediary MUST NOT alter the source or destination
field in an IP header.

There is nothing wrong with this if another intermediary puts it
back the way it was originally, preserving end-to-end traffic.

if you're talking about RSIP, I don't think that's true, because
IIRC it still requires hosts and apps to be aware of addressing
realms.

I was talking about MHAP which is transparent to hosts and apps.

Michel.