Re: Use of single port aggregations to enhance security

["Paul Melson" <pmelson () gmail com>]

> If you're using an operating system based firewall (Linux, BSD, Solaris),
then 
> depending on the order of the operating system enabling firewalls
capabilities vs 
> networking, there may be windows where packets are able to reach code
paths that they 
> weren't intended for because nic drivers start servicing packets quite
early. However, > nearly all of the above operating systems implement LACP
in software. This means that > there's a "knob" that can be used on the
firewall host to control whether or not the 
> switch sends stuff to the firewall, potentially allowing you to close that
window (if > it exists.) This might cause problems if you're doing some sort
of out-of-band remote > console over that port O:->

Hi Darren,

Using LACP is an interesting solution to a problem that, in most cases,
already has a simple solution, which is to not enable IP forwarding on your
firewall until rules are loaded.  Using OpenBSD and pf as an example, you
would set net.inet.ip.forwarding=0 in sysctl.conf, and then in rc.local run,
in order, the scripts that call pfctl, ifconfig, and then finally sysctl
net.inet.ip.forwarding=1 to begin forwarding packets.


> I admit that caring about this might require a special level of paranoia
:)

"The issue is not whether you are paranoid, it's whether you are paranoid
enough."

PaulM



_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards