On Sun, 26 Jan 2003, Rob Thomas wrote:
Hey, Chris.
] or the one that steathily permitted udp 1434 from the outside world :(
Yeah. :(
This is yet another reason why I tell folks with firewalls NOT to allow everything from the internal (often mistakenly labelled "trusted") net to the external nets.
The unfortunate but required security precautions are that you really should filter as low down in the network as possible, this allows the most granular filtering as possible. Much of that could be accomplished with simple router acls. Filtering as close to the end hosts allows you to explicitly permit/deny traffic to the services required without as many compromises on acl length or granularity. Note, it may require some automation of the acl deployment or management of the acls could become 'complex' :)