[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewalls-gc
Subject:    Re: Newbie looking for advice...
From:       Paul Ferguson <pferguso () cisco ! com>
Date:       1995-10-13 4:32:28
[Download RAW message or body]


> 
> Perhaps someone can tell me if this is total fantasy, but would it be 
> a good start (and possible) to configure the router to only allow 
> connects from the outside to certain hosts on the inside - and to 
> only allow through HTTP packets? Also could we configure it to make 
> sure that no one on the outside has an IP address that is supposed to 
> be on the inside? ( IP Spoofing)
>

The 'fix' to block spoofing is a simple one. If you are using
access control mechanisms, simply place an access control list
on the inbound interface explicitly denying entrance to any packet
which claims to be from the internal network (address). Voila.

As to any  methodologies which allow access to particular internal
devices, there are certain risks in this approach. By allowing
explicit transient access directly to an internal device, you
expose them to greater risk of compromise.
 
- paul 


-- 
Paul Ferguson                                           ||        ||
cisco Systems                                           ||        ||
Consulting Engineering                                 ||||      ||||
pferguso@cisco.com                                 ..:||||||:..:||||||:..
                                                   c i s c o S y s t e m s

[prev in list] [next in list] [prev in thread] [next in thread]