From owner-freebsd-security Tue Dec 14 14:37:42 1999 Delivered-To: freebsd-security@freebsd.org Received: from postfix1.free.fr (postfix1.free.fr [212.27.32.21]) by hub.freebsd.org (Postfix) with ESMTP id BE46515529 for ; Tue, 14 Dec 1999 14:37:21 -0800 (PST) (envelope-from usebsd@free.fr) Received: from safi (paris11-nas2-42-160.dial.proxad.net [212.27.42.160]) by postfix1.free.fr (Postfix) with SMTP id 55CEA28AE9 for ; Tue, 14 Dec 1999 23:34:47 +0100 (MET) From: "BSDman" To: Subject: RE: Why use a Firewall? Date: Tue, 14 Dec 1999 23:41:52 +0100 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal In-Reply-To: <19991214172928.A80831@atdot.dotat.org> X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Pierre Chiu wrote: > > I don't think firewall can stop spoofed ip. > It can stop non-routable ip like (192.168.1.1), but if your ip is > 24.112.1.1 and you spoofed it as 24.118.1.1, I doubt firewall > can detect it. > Mark Newton wrote: > Of course a firewall can do that. A firewall cannot protect against IP spoofing in the general sense. It can stop external packets using internal addresses, but it cannot detect that an external packet has spoofed an external address. It think that's what Pierre was meaning. To say it simply, a firewall divides the world into two regions: a private one and a public one, and helps in controlling traffic between these regions (using many interfaces, one can have many regions, but let's stay simple...). If your site is very security sensitive, you'll have to assume that all the external world is hostile and full of intruders. So, you'll have to configure your firewall to reject any connections requested by an outsider (you'll have to permit responses to your packets!). Even if you don't have a similar policy, you'll have to admit that you cannot really distinguish (from a security policy point of view) two external addresses unless you use some specific protection (IPSEC, SSL, ...). so you can't say, my web server is available for everybody except from a given address. Note also that firewalls cannot protect against "hard" attacks such as hijacking, so authentication by itself does not help. Anyway, a firewall is necessary for almost all networks connected to a "untrusted" network (such as the internet). Its objectves are: - "physically" separate the trusted and the untrusted networks - centralize access control A generally admitted objective is that a firewall is configured securely and runs a secure environment (OS, soft...) which is not the case of all internal hosts. One can however think of a theoritical network which all hosts implement firewalling software and are configured correctly (from a security and network points of view). Then, there is no need for a firwall (in theory). but who will bother to check all that configurations? That's where a firewall is good: put all your eggs in one basket and watch that basket carefully! mouss To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message