Installing and Administering PPP
108 Chapter 5
Security Techniques
Writing a Stanza - A Complex UDP Example
Writing a Stanza - A Complex UDP
Example
The following section describes the writing of a rather complex packet
filter involving the Domain Name System (DNS). It provides a good
example of why you need to understand the applications in use when
writing packet filters. It also shows the difficulty of writing static packet
filters for UDP packets without permitting inbound network access in
order to permit outbound service.
A brief explanation follows each rule. The explanation attempts to
illustrate the security considerations which prompted the creation of the
rule.
An Unsafe Domain Name System Rule
Your security policy should allow access for packets that need to cross the
link to fulfill your needs, while still keeping out as many unrelated
packets as possible. Look at the following example of a rule concerning
domain name queries. It is one of easiest rules you could add to permit
domain name queries, but it is also the most insecure.
1. domain/udp
Think of the stanza as though it were translated into this simple
pseudo-code:
if
protocol is UDP AND
source or destination port is domain (53)
then
permit the packet to pass
This means that a user on an outside host sending a UDP packet from
port 53, could reach any UDP destination port on any host on your local
network, including privileged ports used by other services. This would
not be safe.
What Happens During Domain Name Queries
In the simplest case for domain queries, hosts on your network sends all
‘domain’ requests to your domain name server. Your server checks to see
if it has the information cached. If not, it queries other domain name
servers on the Internet to obtain the information.