[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewalls-gc
Subject:    Re: Cisco Access Lists and NetFlow
From:       Marc Mosko <marc () tear ! com>
Date:       1996-09-20 13:04:47
[Download RAW message or body]

A flow is the complete source IP/port destination IP/port address. 
Netflow is no less secure than regular security lists.  It is vulerable
to IP spoofing just like regular lists.

The idea is that once a source IP/port is authorized for a destination
IP/port address, it does not need to be checked each time.  If nothing
changes -- the access list and the IP/port addresses -- then why check
every time?

I am not sure of the exact mechanics when an access list changes.  This
is what I would be worried about.  One would hope that all flows
pertaining to that list (and only those flows) would be re-authorized.


gary flynn wrote:
> "With Netflow Switching, only the first packet in a flow follows
> this process. If the first packet in a flow passes through these
> filters, an entry is added to the Netflow Switching cache. Subsequent
> packets in the same flow are then switched based on this cache
> entry, without needing to be matched against the complete set of
> access lists."
> 
> Has anyone analyzed the security implications of this when the
> router is being used in a firewall application? It sounds great
> for performance but off-hand, it also sounds like there is room
> for abuse.

-- 
   Marc Mosko                   Email: marc@tear.com
                                Web:   http://www.tear.com/

   "If anyone knocks out another's eye, he shall pay him
   sixty-six shillings, six pence, and a third of a penny."
   -- Leges Henrici Primi (13th century)

           PGP Key available via Public Servers and
               http://www.tear.com/pgp-key.html

[prev in list] [next in list] [prev in thread] [next in thread]