-= ArkanoiD =- wrote: > The answers made me wonder: people started to say things like "yes, firewall X > does support x.25, fddi, token ring, etc..". Such an answer gives me strong > impression that they mean "product X can firewall IP on x.25, fddi, > token ring.." which is completely different thing. Agreed. Sounds like someone has their layers mixed up. ;) > A question is: what non-IP protocols can be (and should be) firewalled? "Should" is implementation specific, "can is a whole different story. IPX - filter RIPs and SAPs to control server access You can control who can get to each server by blocking route and server advertisements. This is not as clean as it may sound as you have a few limitations: 1) You can not filter on a per client basis (at least not that I have seen) 2) Depending on the config, you can circumvent the filtering For example, let's say I have a client on network 1 and there are two servers on network 2. I want the client to be able to access server A but not server B. While I can filter out RIP/SAP so the client will not see the server, all the client has to do is query server A for all known servers. This will tell me about server B and allow me to connect up. To prevent this, I would have to hide server A&B from each other, not a good thing in an NDS environment. AT - Filter Zone names and network ranges Again, not the best security control as I must block full ranges, I can not block individual clients. AT devices dynamically grab a unique address on startup. This means that I can not block individual clients as I can not predict which address they will use. Yes this can be preset, but it's way to easy to reset it. NetBIOS - ???? None that I know of beyond filtering out traffic to the multicast address 030000000001. This still is not cool as it would block all NEtBIOS/NEtBEUI traffic. About the equivalent of just cutting the cable. You do get a bit of control if you use scopes but this is way too easy to defeat. Given the above descriptions, I guess IP is not all that insecure after all. ;) > Some people ask me if i can let ipx through firewalls i build - i answer no > just because i can't filter and monitor it properly and thus it will break the > security policy.. Cisco does a pretty good job of filtering IP, IPX and AT. NetWare 4.1 includes a utility called filtcfg that can be run from the server console. You need to enable support through inetcfg first, but it does a pretty cool job of controlling traffic in multi-NIC servers. Cheers, Chris -- ************************************** cbrentonat_private Multiprotocol Network Design & Troubleshooting http://www.amazon.com/exec/obidos/ISBN=0782120822/0740-8883012-887529 Support the anti-spam movement: http://www.cauce.org/
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:57:53 PDT