At 19:17 23/07/00 -0400, Chris Brenton wrote:
>J Weismann wrote:
> >
> > so I take it UDP is still used even though it is not as secure as TCP.
>
>UDP is not as _reliable_ as TCP, but IMHO its no more difficult to
>secure unless you are talking static packet filters. With any other
>firewall technology, its no worse or better.
uhum?! You're getting too generc here, no? and generic is generally false...
A service is not secure simply because it uses TCP instead of UDP.
Note that the SYN flooding attack, SMTP attacks, HTTP attacks,
FTP attacks, ... areattacks that concern TCP and TCP based services.
many firewall vendors, just because they have nothing to sell for UDP, simply
say "heh, but UDP cannot be secured anyway. let's talk about our super TCP
filter/proxy".
and after all, what will a stateful packet filter like the one in FW1 will
do against an http tunnelled
content attack? what will the Gauntlet's proxies do against things like the
I love you" attack?
UDP certainly introduces some programming problems, but these are
programming problems,
and programing problems sould always be kept in the programing area (I
could also say that IP is not
secure because it is not rliable, because of fragmentation attacks, because
of ..... so what?).
> > Would
> > removing the UDP settings stop all TCP traffic along the same lines also?
>
>Humm, not sure what you mean by this. UDP is a transport like TCP. They
>are separate animals.
I'm trying to guess what's is question....
anyway, if he disables UDP, then URLs using names such as "www.netbsd.org"
wouldn't
work. and since most of the links specified in web pages use domain names,
the web traffic
won't work. one could however do a "telnet 1.2.3.4" and so....
anyway, there is no point in suppressing UDP, unless one suppresses the
whole IP.
one should disable services that are not needed or that are security risks,
whether they be
TCP, UDP or Uranus.
......
regards,
mouss
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
