glen@aecom.yu.edu (Glen M. Marianko) (11/16/89)
Anyone ever hear of a bridge or router that can filter traffic within
a protocol. Like tell the box to "filter all TELNET traffic" or
"allow only SMTP traffic" either globally or for individual nodes.
Granted, this is rather esoteric - but security is the concept
here.
Thanks!
--
-- Glen M. Marianko Manager, LAN Services Glasgal Communications, Inc.
151 Veterans Drive Northvale, New Jersey 07647 201-768-8082
glen@aecom.yu.edu - {uunet}!aecom!glen (Courtesy of AECOM & unaffiliated)tgsmith@sundc.East.Sun.COM (Tim Smith - Consultant Sun Baltimore) (11/16/89)
In article <2598@aecom.yu.edu> glen@aecom.yu.edu (Glen M. Marianko) writes: >Anyone ever hear of a bridge or router that can filter traffic within >a protocol. Like tell the box to "filter all TELNET traffic" or >"allow only SMTP traffic" either globally or for individual nodes. >Granted, this is rather esoteric - but security is the concept >here. cisco routers can do exactly what you want. Their filtering is really flexible and their boxes are real fast and real reliable. They can filter on source/destination IP net/addr, protocol, and TCP/UDP port numbers. I once had a host that was killing one of my vaxes with a mail loop. The folks responsible for the offending machine were unable/unwilling to fix things so I installed a filter in the cisco to ONLY block smtp traffic from the offending host to the offended host. The clowns on the offending host were a bit confused before I told them what I had done- "Well we can ping them, rlogin to them, telnet to them, but we can't get mail to them. What the hell is going on?" Made my host happy and also convinced them to fix their host. Proteon's can do filtering on source net, dest net, and maybe a little more. Their filtering is not as sophisticated as cisco`s. Contact info: cisco systems 1360 Willow Road Menlo Park, CA 94025 (800) 553-6387 Proteon 508-898-3100 NB: Usual disclaimers apply. I don't have any financial interest in either company. I have worked with both companies hardware. Tim Smith - Technical Consultant US mail:Sun Microsystems E-mail: 6797 Dorsey Road internet:tgsmith@sunbalt.east.sun.com Suite 4 uucp :sundc!timsmith Baltimore, MD 21227 MaBell :(301)379-5000 As goes without saying(but will be said anyway): If I were speaking for sun you would be paying to hear it.
fortinp@bcara13.bnr.ca (Pierre Fortin 1573589) (11/17/89)
In article <2598@aecom.yu.edu>, glen@aecom.yu.edu (Glen M. Marianko) writes: > Anyone ever hear of a bridge or router that can filter traffic within > a protocol. Like tell the box to "filter all TELNET traffic" or > "allow only SMTP traffic" either globally or for individual nodes. > Granted, this is rather esoteric - but security is the concept Check out cisco Systems routers. They can do just what you want; route traffic between (sub)nets, bridge other traffic (Hybridge feature) and control IP traffic through access control lists which can be set up to filter at the address (with mask) level, service and port levels. For example, you could permit only SMTP traffic from the networks of your choice (or even specific users) and deny all the rest. > -- Glen M. Marianko Manager, LAN Services Glasgal Communications, Inc. Pierre Fortin, Internet Systems, Bell-Northern Research, Ottawa, Canada
mogul@decwrl.dec.com (Jeffrey Mogul) (11/21/89)
In article <2598@aecom.yu.edu> glen@aecom.yu.edu (Glen M. Marianko) writes: >Anyone ever hear of a bridge or router that can filter traffic within >a protocol. Like tell the box to "filter all TELNET traffic" or >"allow only SMTP traffic" either globally or for individual nodes. >Granted, this is rather esoteric - but security is the concept >here. You might be interested in my paper "Simple and Flexible Datagram Access Controls for Unix-Based Gateways" in the Proceedings of the Summer 1989 USENIX Conference. The system described allows you to do exactly what you are asking for; it is not such an esoteric request. Note that this paper describes a research system, not a product. -Jeff