Re: Multicast Firewall

["Marcus J. Ranum" <mjr () ranum com>]

Ravi Kumar wrote:
> I was asked to prepare specifications for multicast firewall.

Interesting problem!!! What are the security policy problems of a
multicast message? Then work your way back from there. It has
a source, right, but no destination? I'd argue that a multicast
firewall should be able to *add* destination specifiers to match
sources. So I'd like to be able to tell it "this service can be
multicasted to these machines only"   There's another question
which is "what services, in a security conscious environment,
make *sense* to multicast?"   Start with those and then ask
yourself what security controls you can add to them.

Back when I was doing firewalls, that was the logic I followed:
look at the overall communications problem and then figure out
what security the firewall could *add* - on the assumption that
everything lacked underlying security. Usually that's a good
assumption.

mjr. 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards