Re: program/binary ip filtering

Wed, 18 Apr 2007 12:59:34 -0700 

At 3:46p -0400 18 Apr 2007, Chuck Swiger wrote:

On Apr 18, 2007, at 12:17 PM, Kevin Hunter wrote:

At 2:42p -0400 18 Apr 2007, Bill Moran wrote:
Are you saying that you want to have the packet filter check to see what application is listening on a particular port, then allow/deny access based on the name of the application? 

Exactly.



You should consider just how difficult it is to rename a malicious  
program to, say, "ssh" in order to get around such checking.   
(Answer: trivial.)  If you really want to control traffic in this  
fashion, you should look towards what the industry calls "deep  
packet inspection" or mandatory usage of proxies for all permitted  
protocols, instead.



Hrm.  I was assuming that if I got into the nitty gritty, I could do  
more than just check the name of the binary, but perhaps not?  Thanks  
for the warning.



Do you not have control over what is run on this system?


So perhaps our specific example might be prudent:

[snip]

It's blocking because we are dropping all packets not destined for  
port 22.  Since ssh /from/ the bastion picks a random high port,  
it's dropping all the return packets to that random high port.



How have others handled this type of scenario, where a hardening  
of a bastion host has been desired/necessary?



The main approaches are to use a stateful firewall ruleset, to  
explicitly permit return traffic via additional rules, or to simply  
permit established connections through.  These options are arranged  
in rough order of how secure they are.



I have been given to understand that this approach does not lend  
itself to fine-tuning down the road, if such -- for /some/ reason --  
were needed. . . .?



I suspect that you are encountering a steep learning curve,


You are /probably/ (read: definitely) correct.  I am. :-)


and that some additional reading will help you make much better  
decisions about how to configure a firewall.


Consider getting either or both of:

"Building Internet Firewalls", ISBN-10: 1565928717
http://www.oreilly.com/catalog/fire2/


"Firewalls and Internet Security: Repelling the Wily Hacker",  
ISBN-10: 020163466X
http://www.aw-bc.com/catalog/academic/product/0,1144,020163466X, 
00.html


Will look into those.  Thank you again.

Kevin
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"






















					Reply via email to