Re: Router filtering not enough! (Was: Re: CERT advisory )

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Jonathan M. Bresler: "Re: Router filtering not enough! (Was: Re: CERT advisory )"
• Previous message: Jonathan M. Bresler: "Re: Re: Router filtering not enough! (Was: Re: CERT advisory )"

	 	we have lost some context here, the original idea included a 
	 router between the internal and external (the Net).  this router drops
	 all packet from the Net that purport to come from the internal ip 
	 address(es).  

Dunno about you, but my organization, where all of the machines are under
common administrative control -- and hence are candidates for hosts.equiv
status -- includes 130 people with their own workstations, at least six
server-class machines, and 6 Ethernets, and is spread over two locations
connected by part of a corporate LAN.  Even just the New Jersey portion
includes 107 people, 5 Ethernets, and 2 routers.

Trust boundaries are administrative concepts, not physical ones.  We
need the flexibility to split a LAN based on load, without worrying if
that will suddenly render useless either our security mechanisms or our
ability to work together efficiently.

If, in your environment, you have additional information you can take
advantage of to increase your security, by all means do so.  But the
net as a whole needs a more general solution.

• Next message: Jonathan M. Bresler: "Re: Router filtering not enough! (Was: Re: CERT advisory )"
• Previous message: Jonathan M. Bresler: "Re: Re: Router filtering not enough! (Was: Re: CERT advisory )"