ABSTRACT
However, simplicity has its disadvantages. The rules that packet-filtering firewalls implement are based on port conventions. If an organization wants to stop certain service requests (e.g., telnet) from reaching internal or external hosts, the most logical rule is to block the port (e.g., port 23) that by convention is used for telnet traffic. Blocking this port, however, does not prevent someone inside the network from allowing telnet requests on a different port that the firewall’s rules leave open. In addition, blocking some kinds of traffic causes a number of practical problems. Blocking X-Windows traffic (which is typically sent to ports 6000 to 6013) on the surface seems to provide an effective security solution because of the many known vulnerabilities in this protocol. Many types of remote logon requests and graphical applications depend on X-Windows, however, so blocking X-Windows traffic may thus restrict functionality, leading to the decision to allow all X-Windows traffic (which makes the firewall a lessthan-effective security barrier).
