home *** CD-ROM | disk | FTP | other *** search
- Newsgroups: comp.protocols.tcp-ip
- Path: sparky!uunet!haven.umd.edu!decuac!hussar.dco.dec.com!mjr
- From: mjr@hussar.dco.dec.com (Marcus J. Ranum)
- Subject: Re: Firewall usage (was: Re: ping works, but ftp/telnet get "no route)
- Message-ID: <1992Jul31.000924.7528@decuac.dec.com>
- Sender: news@decuac.dec.com (USENET News System)
- Nntp-Posting-Host: hussar.dco.dec.com
- Organization: Digital Equipment Corporation, Washington ULTRIX Resource Center
- References: <DRW.92Jul27143657@jordan.mit.edu> <17011@ulysses.att.com> <DRW.92Jul30153427@euclid.mit.edu>
- Date: Fri, 31 Jul 1992 00:09:24 GMT
- Lines: 14
-
- drw@euclid.mit.edu (Dale R. Worley) writes:
-
- >I haven't studied the matter, but I believe that the more
- >sophisticated firewalling routers actually *do* track connections.
-
- I prefer to use a somewhat different approach in general. First
- you determine the services that your users have a clear business need
- for. Then you develop an application gateway that "knows" that protocol
- and can give you decent access control, logging, and piggy-back blocking.
- This is much more secure (in my opinion) since you preserve the "that which
- is not expressly permitted is prohibited" doctrine and you can incorporate
- appropriate per-protocol authentication or authorization as needed.
-
- mjr.
-