Sorry guys for jumping in to your conversation. Just wanted to confirm
Davide's point here though I'm not a security expert.
Many of recent (new/updated) firewalls allow you to have control over entire
TCP/IP stack. Now firewalls know how to prevent DoS attacks in the form of
ICMP echo bandwidth consumption, IP fragmenting, and SYN flooding, etc.
My personal preferences stand for RSDP (known BlackIce) even though it has
been already hacked (some of new viruses hack/stop the firewall).
Though it has been a while ago, I remember an easy integration of the
firewall client in to our XPe images (only some tweaks around IPFilter
driver) and it did not increase my image size dramatically (+2,5 Mb assuming
you got TCPIP stack included). More info here
http://blackice.iss.net/product_pc_protection.php.
And just aside of the windows firewalls but more general info on
BlackIce/IPFilter and attackes covered:
http://www.sans.org/rr/papers/21/815.pdf,
http://www.sans.org/rr/papers/30/346.pdf.
I think Slobodan's approach for replacing TCP/IP stack works good when you
have one/two network-dedicated application. IMHO, making sure your device is
most secure and protected you will need to cover many holes in the TCP/IP
stack anyway.
KM
DM> Sorry Slobodan, but let me insist...
DM> hum... TCP is not fast as UDP, yes, but has some well known issues
DM> as
DM> SYN DoS... very simply to take in place and you know that a SYN
DM> packet is fast as a UDP one.
DM> This is not the clue, I think: if my firewall let me define a rate
DM> limit (to the best of my memory, for instance, ZA does and
DM> linux/netfilter infrastructure surely does) then over that limit,
DM> packets are simply dropped, avoiding to push them on the stack
DM> which, at this point, really means overhead. No 'higher level'
DM> analysis is performed at all.
DM> remove all services that use UDP and TCP ports could not be
DM> enough...
DM> what about ICMP (the 'redirect' one for instance........). And this
DM> is only an example.
DM> Someone tells me, a long time ago, that the most dangerous hacker is
DM> always your employee....
DM> I guess not...
DM> Cheers -Davide