Subject: Re: SYN cookie ?
To: der Mouse <mouse@Rodents.Montreal.QC.CA>
From: gabriel rosenkoetter <gr@eclipsed.net>
List: tech-kern
Date: 04/17/2001 12:41:42
On Tue, Apr 17, 2001 at 09:25:59AM -0400, der Mouse wrote:
> > I know there are plenty of reasons that you may not want to run
> > NetBSD on that particular web server, but why is its OS not properly
> > protecting it from SYN floods?
> Does it matter?
Not really. It was a rhetorical question.
> This is *exactly* what firewalls are for: to protect `inside' machines
> from having their vulnerabilities exploited.
>
> Indeed, it's why I generally don't like firewalls: they amount to
> saying "yes, I know there's this vulnerability, but rather than fix it
> I'd rather just try to paper over it".
I disagree.
The proper application of firewalls is doing things in a faster,
albeit less secure, way internal to a LAN, while being sure that the
services that requires (say, r*, telnet, NFS, etecetera) will under
no circumstances travel out into the outside world.
There are perfectly good reasons one would want clear-text ftp (it's
a damn sight faster than scp) or NFS, and, although these services
can be moderately kept from passing outside a LAN without a
firewall, putting one up protects an outside attacker from even
seeing the services and the network topology of the LAN.
Perverting the use of a firewall to specifying whether packets which
you would ordinarily allow (say, requests to a web server inside the
firewall) are actually okay based on the content of those packets is
distinct from protecting insecure services which you choose to run
WITHIN YOUR LAN for the sake of convenience.
~ g r @ eclipsed.net