On Fri, Jun 22, 2001 at 07:47:27AM -0700, Sudipto basu wrote:
> can any one let me know why Router level firewalls are
> not good at filtering FTP, X11 and DNS packets.
They are not good in filtering FTP, because to do this, you (the router) has
ti understand the FTP Protocol, to know when a Data Connection is beeing
made. This understanding in a router (i.e. on a packet level) is hard to be
done in a way it cannot be exploited. Generally it is too easy to trick the
router into thinking he sees a valid FTP Protocol and it will open up an
aribitary port for incoming connections. Restricting the ports the router
should open and doing a strict protocol analysis are things only a
application level proxy can do real well.
For DNS it is a bit more easy, a packet filter can actually keep state of
outgoing DNS requests and pass only the responses back. But on a Firewall
you may want to have additional security by actually looking into the DNS
packets and make sure they are valid. That way a DNS server behind cannot be
exploited. This could only be done by a DNS proxy, which again is not a
normal router feature.
For X11 it is quite easy to filter it by a router. One problem is again,
that X11 will not be syntax checked, another problem is, that X11
connections are by thmself insecure because unencrypted. And another option
is, that if you have a masquerading router allowing inbound X11 Access, you
may need some kind of switchboard, so the outside user can authorize against
the firewall and the firewall will then forward the X11 connection to a user
Display. This is not done in Routers very well.
Greetings
Bernd
--
(OO) -- [EMAIL PROTECTED] --
( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/
o--o *plush* 2048/93600EFD eckes@irc +497257930613 BE5-RIPE
(O____O) When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl!
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
