Re: Firewall

To: Vineet Kumar <debian-security@virtual.doorstop.net>, debian-firewall@lists.debian.org
Subject: Re: Firewall
From: Nathan E Norman <nnorman@micromuse.com>
Date: Thu, 23 Aug 2001 12:44:54 -0500
Message-id: <[🔎] 20010823124454.E8671@micromuse.com>
Mail-followup-to: Vineet Kumar <debian-security@virtual.doorstop.net>, debian-firewall@lists.debian.org
In-reply-to: <[🔎] Pine.OSF.4.31.0108222331090.234065-100000@bulldog.unca.edu>
References: <[🔎] 20010822170111.A6149@doorstop.net> <[🔎] Pine.OSF.4.31.0108222331090.234065-100000@bulldog.unca.edu>

On Wed, Aug 22, 2001 at 11:42:59PM -0400, Adam William Lydick wrote:
> * I am assuming your firewall exists to protect your network, by providing
> packet filtering (potentially inbound AND outbound).
> 
> 1) If an attacker learns an internal address, and your internal network is
> unrouted (on a single segment of ethernet), they would be able to get
> packets (unfiltered) into your network, unless your upstream
> router/DSL/Cable modem etc is going ingress filtering.

Cable modems are bridges (though many can do IP based filtering).
However, I'm not aware of any cable ISPs who enable IP based filtering
by default.

DSL is a different story since there are several ways that your DSL
"modem" can be configured.  However, you're still depending on the ISP
doing the right thing.  How confident are you regarding your ISPs
default security stance?

Even if you've got a leased line, it's unlikely that the router is
doing any filtering unless you paid someone to set it up that way.
It's just too much work for the average install.  ISPs are in business
to make money, not to provide the best possible security to their
customers.

When I worked at an ISP, I liked to bring up security issues.
Invariably the response was "well, security is good but if it affects
customer's ability to use the network we're not going to do it."
Since "customer's ability to use the network" often meant that the
customer wanted to do something dumb from a security stance, we didn't
do much filtering by default.  What little filtering we did do was
designed to protect us (filter dhcps so a customer can't provide dhcp
replies to other customers, filter rfc1918 addresses at the gateway to
prevent those addresses from accessing the internet, filtering source
addresses not in our netblocks from accessing the internet, filtering
incoming traffic with source addresses in our netblocks, etc).

-- 
Nathan Norman - Staff Engineer | A good plan today is better
Micromuse Ltd.                 | than a perfect plan tomorrow.
mailto:nnorman@micromuse.com   |   -- Patton

Attachment: pgpdQ1K7OEFBd.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: Firewall
  - From: Adam William Lydick <awlydick@bulldog.unca.edu>

References:
- Re: Firewall
  - From: Vineet Kumar <debian-security@virtual.doorstop.net>
- Re: Firewall
  - From: Adam William Lydick <awlydick@bulldog.unca.edu>

Prev by Date: Re: Firewall
Next by Date: Re: FW: Firewall
Previous by thread: Re: Firewall
Next by thread: Re: Firewall
Index(es):
- Date
- Thread