RE: [fw-wiz] terminal services

From: Reckhard, Tobias (tobias.reckhard@secunet.com)
Date: 01/29/03 

From: "Reckhard, Tobias" <tobias.reckhard@secunet.com>
To: firewall-wizards@honor.icsalabs.com
Date: Wed Jan 29 02:13:21 2003

Barney Wolff <barney@pit.databus.com> wrote on January 29, 2003 1:36 AM:
> Any network without a state-keeping firewall between it and
> the Internet
> really needs to have just one or two DNS cacheing proxies
> doing requests
> from port 53, ditto NTP, and block all other UDP. Anything
> else is just
> too dangerous, not by a little, but by a whole lot.

Source ports are worth pretty much zilch when filtering TCP or UDP. It's not
a good security decision to design a filter that attempts to allow (only)
outbound DNS queries based on outbound packets having source port 53 and
inbound packet having destination port 53. Rather, the source port (in the
outbound direction) should be able to be pretty much anything, while the
destination port is the one that needs to be checked. Same for NTP or any
other service.

There are protocols that use fixed client as well as server ports. IKE
appears to be one of them (but DNS and NTP definitely aren't). You can
configure your packet filter, stateful or not, more restrictively by
restricting the source ports used. It may buy you some added security. Most
of the time, that won't be much, though.

Cheers,
Tobias

Relevant Pages

  • Re: [9fans] dns exploits (self-promotion remix)
    ... is the server part vulnerable to the recent poisonning attacks? ... and if you're running a shared recursive dns ... only supplies 15 bits of randomness. ... that leaves choosing random source ports. ...
    (comp.os.plan9)
  • UDP/41170
    ... source ports. ... I have been checking the packet contents in Ethereal and the content looks ... world's premier technical IT security event! ...
    (Incidents)