Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

firewall-wizards logo Firewall Wizards mailing list archives

Re: A fun smackdown...
From: Chuck Swiger <chuck () codefab com>
Date: Sat, 21 May 2005 14:21:39 -0400
On May 21, 2005, at 12:58 PM, Marcus J. Ranum wrote:

Chuck Swiger wrote:
By definition, the IETF is concerned with systems which interoperate over public networks using network-wide conventions and publicly documented standards. What people do with private machines or private networks is up to them, at least so long as they *don't* connect those machines to the Internet. 

You're completely ignoring the fundamental dilemma that I am trying
to get you to confront. My position in a nutshell:
- "Standards that don't take security into account are not internet-worthy" 
and you're asserting
- "If you don't follow standards you break 'legitimate' traffic"

The problem is that, since the standards don't take security into
account, the traffic is not 'legitimate' - it's 'dangerous'   and a
security device can and SHOULD interfere with it.
You've asserted that all standards are useless. You've asserted that standards which do not take security into account are not internet-worthy. You seem to believe that no Internet standard is legitimate and all traffic must be considered dangerous.
Your position is comprehensible but so extreme as to not be especially useful. By analogy:
There is a non-skid surface on the floor of my tub, but I could still break my neck if I slipped, I suppose. Should I worry about this horrible possibility excessively? So much that I forget to lock my front door? It's useful to worry about stuff which is likely to happen, is likely to matter, and is something you can do something useful about, without spending so much effort that the net impact outweighs the loss of productive work. 


Maybe the first time someone invents a PMTUD denial of
service attack you'll "get it."
People have already played lots of games using ICMP traffic. Rate-limiting ICMP responses and preventing replies to network broadcast addr's to prevent amplification/DoS works pretty well for now.
If I try to talk to www.example.com:80 using DF, I expect that to work. I don't agree that a firewall should block ICMP unreachable messages generated for a connection which would normally be permitted by the security policy. Rate-limit, sure. But not blackhole... 

--
-Chuck

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]