> -----Original Message-----
> From: Richard Archer [mailto:rha@juggernaut.com.au]
> >You were talking about compartmentalising things - how can an
> >application know whether an inbound packet is spoofed?
>
> So we disagree on the definition of packet filtering too :)
Huh? The question wasn't wholly rhetorical - for an application to know
whether a packet is spoofed, it has to have a whole heap of network
awareness, which it probably doesn't otherwise need, and which itself
becomes a vulnerability.
> From my ISP background I tend to think of packet filtering as
> dropping all packets destined to ports 137, 138 and 139 and 31337
> on the floor.
That's a very limited view of packet filtering. Apart from blocking,
packet filtering also includes at least masquerading, NAT, PAT,
antispoofing, limiting and redirection, and of course is bidirectional -
a good system should also work to protect the outside world from the
mistakes of its admins and the malice of its users.
> But if NetBios was secure and if there was no way to install Back
> Orifice, these filters would not be required.
Sure - but just because you *think* a program is secure today doesn't
mean an exploit won't be discovered tomorrow. Or that some user won't
install a horribly unsafe program that threatens your whole network. A
packet filter can say "let port 80 through to my web server, but to no
other machine". If some other machine in your network "develops" a
vulnerability on port 80, your packet filter protects you; it may even
be able to play a role in telling you about such developments.
> The other thing packet filtering can do is prevent information about
> your systems being discovered via port scans. (e.g. prevent port 80
> access to all machines that are not web servers). But once again, if
> systems were secure this wouldn't be required either.
That doesn't make sense. A correctly functioning web server will reveal
information about itself when probed on port 80. A correctly functioning
machine without a web server will reveal that it isn't running a web
server if probed on port 80. You can't stop that, short of putting dummy
servers up.
> As an example, I *like* people to know I run qmail and ncftpd because
> once they know that they'll stop trying Sendmail and wuftpd exploits
> against my system.
Most probes come from mindless programs that don't know when to stop[1].
You'll only stop a human attacker like that, and there aren't many of
those around.
Regards, K.
[1] From a tag line somewhere: "Don't anthropomorphise computers, they
hate that". :-)
This archive was generated by hypermail 2.1.1 : Fri Aug 31 2001 - 03:10:04 EST