Re: UDP packets are dropped by the PIX

On Sat, 24 Dec 2005, in the Usenet newsgroup comp.security.firewalls, in
article <doki7i$d96$1@xxxxxxxxxxxxxxxxxxxxxxx>, Walter Roberson wrote:

Merry Christmas!

>>Not allowed on the company wire. The O/P was posting from the New York
>>City Public Schools network - I would hope that they also restrict
>>personal use of city property.
>
>The kind of "finanicial system" that I was referring to includes
>payroll systems, accounting systems, purchase systems, wage and
>benefit systems, contract details, and so on.

To the best of my knowledge, those rarely see the Internet here. EFT
is handled by some form of tunnel to several banks, but I've seen
no indication of UDP. My wife works in accounting in another company,
and she tells me that there is ALWAYS dead tree backup of all
communications.

>It is not uncommon for people to need access to remote resources
>in different security roles than their neighbours, including
>sometimes at different security levels. Sometimes that is handled
>by using distinct networks, but that approach does not scale well --
>and probably doesn't fit within the budget of the New York City Public
>Schools.

I don't have a breakdown of how they've set up the public school system.
165.155.0.0/16 is the public schools (not including the colleges). The
_city_ has two more /16s (161.185 and 167.153), and other _parts_ of
the city government also have /16s (CUNY, City College, Hospital, Transit
Authority, etc). I'm not including state stuff, or the Port Authority..

>An alternative to using multiple networks is to pass encrypted
>traffic through the common demarc. I have no idea what encryption
>protocols the military or TLAs use these days; the publically
>available recommended standard, IPSec, relies upon UDP.

Not really my area, but I know the system we're using doesn't depend
on UDP - mainly as a logging question, I think.

>The traditional "defence in layers" setup is to use multiple layers
>of security, not to simply attach different security tags to packets
>that are otherwise all treated equivilently.

Agreed - that's why we have air gaps on our networks, and why I don't
have access to some network stuff, even though I'm a network guy. That
includes payroll for some strange reason ;-)

>Your workplace appears to be operating under a much more stringent
>threat/risk model than would be the case for most locations.

I've mentioned this before - we're an R&D facility, and about 10 years
ago, corporate got religion about this security stuff. Traffic that
enters/leaves our facility (never mind the same deal corporate wide) is
"controlled". Visiting computers is a _total_ no-no, and I understand
that both the janitors and the cafeteria staff had background checks and
have signed NDAs.

>I am not suggesting that UDP should be acceptable under all
>threat/risk models, or even to all locations with roughly the
>same threat/risk model (since different locations have different access
>needs even if they evaluate the risks much the same way).

I'll give you that.

>What I question your statement that one should not have UDP in any
>"sanely configured firewall". A "sanely" configured firewall
>is one configured according to the needs and resources of the
>organization it is serving. Is UDP really such a security problem
>that Jumbo Jacks' Popcorn Pendants is at dire risk for allowing
>any UDP other than DNS through its firewall?

I'd expect that the professional would know what is needed, and
what is not. The average person we're seeing in this news group is not
the professional, and isn't running a business. As you know, the
"correct" firewall configuration is to allow what is needed, and
block all else. Hence my statement. The O/P sounds more like a
frustrated user, rather than a competent admin enforcing official
policy. Have they turned up on comp.dcom.sys.cisco yet? I don't follow
that group.

Old guy
.

Relevant Pages

  • Re: Cant see (most) shares over the WAN. System Error 53
    ... The current network design contains ONLY one DC ... All authentication for city b is ... DNS server and the ONLY WINS server. ... lookups going over the WAN link. ...
    (microsoft.public.windows.server.networking)
  • Chicago Gears up For Wireless Broadband
    ... The nationwide rush to go wireless appears poised to extend to its ... biggest city yet. ... Chicago has hundreds of Wi-Fi hotspots in places like coffee shops, ... But the size of a Chicago network would ...
    (comp.dcom.telecom)
  • Original list of FOX affiliates
    ... on April 5, 1987, when the network aired its first primetime ... There are about 100 stations on the list. ... the new network had aired The Late Show with Joan Rivers ... Affiliate changes in each city are noted with the year and new ...
    (rec.arts.tv)
  • Seattles Free Wi-Fi Hits Some Snags
    ... As mentioned in past posts to Telecom Digest, Seattle is experimenting ... with neighborhood-wide wi-fi in several neighborhoods and parks. ... the program is in flux after the network was temporarily shut ... down in Columbia City and connections in the University District and ...
    (comp.dcom.telecom)
  • Re: how to control UDP sending Speed?
    ... IPQAM device is 10000Mbps. ... The IPQAM device only can accept a constant bit rate udp TS(mpeg2 transport ... stream) data stream for broadcasting TV. ... Does the sender get any feedback whatsoever regarding the state or status of the IPQAM device, and/or any other components in the network involved in transmitting the data? ...
    (microsoft.public.dotnet.framework)