Hi Kathleen,
On 24 Nov 99, at 16:24, [EMAIL PROTECTED] wrote:
> hard to believe. I did put in the request, but I would love to hear
> what other people are doing about protocols like Real Audio, if they are
> permitted.
>
There is no way to protect your internal network securely with static
packet filters for protocols like ftp or RealAudio.
If you open the UDP range for server initiated incoming RealAudio
streams, you�re lost. The same for active ftp data connection initiated
from port 20 of the server.
Tools like nmap are able to scan from fixed source ports like tcp/20, and
so there are only four solutions:
(1) drop firewalls with static packet filters and get better ones
(2) implement static filters and expose your internal network
(3) deny the use of RealAudio and active ftp for all users
(4) put application proxies for ftp and RealAudio in your DMZ, which will
only expose your proxy server (if you don�t have a proxy, put a dedicated
machine in the DMZ where users can do RealAudio)
Kind Regards / Mit freundlichen Gruessen,
--
Frank M. Heinzius MMS Communication AG .~.
mailto:[EMAIL PROTECTED] Eiffestrasse 598 /V\
http://www.mms.de 20537 Hamburg, Germany // \\
Phone: +49 40 211105-40 Fax: +49 40 210 32 210 /( )\
-- spam forbidden -- -- PGP key available -- ^^-^^
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
