| |
PA2AGA > TCPDIG 09.07.97 11:16l 139 Lines 4957 Bytes #-10571 (0) @ EU
BID : TCP_97_39B
Read: GUEST
Subj: TCP-Group Digest 97/39B
Path: DB0RGB<DB0ABH<DB0SRS<DB0ZDF<DB0AIS<DB0NDK<DB0RWI<PI8JOP<PI8ZAA<PI8HWB<
PI8VAD<PI8VNW
Sent: 970709/0202Z @:PI8VNW.#ZH2.NLD.EU #:10354 [Hoek v Holland] FBB5.15c
From: PA2AGA@PI8VNW.#ZH2.NLD.EU
To : TCPDIG@EU
Received: from pa2aga by pi1hvh with SMTP
id AA37869 ; Wed, 09 Jul 97 00:48:43 UTC
Received: from pa2aga by pa2aga (NET/Mac 2.3.62/7.1) with SMTP
id AA00002503 ; Tue, 15 Apr 97 22:15:11 MET
Received: from pa2aga-1 by pa2aga with SMTP
id AA00002472 ; Tue, 15 Apr 97 22:11:16 MET
Received: from pa2aga-1 by pa2aga-1 (NET/Mac 2.3.62/7.6.1) with SMTP
id AA00009370 ; Tue, 15 Apr 97 22:11:14 MET
Date: Tue, 15 Apr 97 22:05:21 MET
Message-Id: <tcp_97_39B>
From: pa2aga
To: tcp_broadcast@pa2aga-1
Subject: TCP-Group Digest 97/39B
X-BBS-Msg-Type: B
> a network problem.
These reasons exactly are why firewalls and routers block them. With
billions of dollars of assets in our company we can't afford to give
out any information that a criminal hacker could use to break in, or
to be vulnerable in any way. DOS attacks can also bring down or clog
a T1 link easily, plus it crashes many OS's, including hi-end servers.
I used to actually think the same way, leave things pretty much open,
but after working in information protection with large corporations
I learned how bad it is to leave anything open because people *WILL*
try to get in by any means possible, and they do try too. Only open up
exactly what you need to open up, because it's not the known bugs that
will hurt you, it's the unknown ones. Even the simplest or the oldest
so-called "bug free" protocols are discovered to be security holes.
> I still dream of the day when firewalls are obsoleted by decent host
security.
We all do, but until the day comes where we can catch criminal hackers
and take them behind a shed and beat the *you know what* out of them,
we don't have a whole lot of choice. Some people just can't be trusted
and they will try to exploit you or your company by any means possible.
> Phil
Disclaimer: The views stated above are my own and do not reflect those
of Computer Task Group, Inc. or the Detroit Edison Company.
Ron Atkinson Work: atkinsonr@detroitedison.com (313) 235-3558
------------------------------
Date: Mon, 14 Apr 1997 20:47:16 -0400 (EDT)
From: k1zat@dsport.com
Subject: What Protocole traceroute use ?
> I still dream of the day when firewalls are obsoleted by decent host
security.
Don't we all !
------------------------------
Date: Tue, 15 Apr 1997 01:51:52 GMT
From: brian@nothing.ucsd.edu (Brian Kantor)
Subject: What Protocole traceroute use ?
I beg to point out that your link can be saturated even if your
firewall passes nothing at all, unless your firewall is physically
located at the ISP end of the link.
I too wish that firewalls weren't necessary, but until corporate america
(and others) stops buying defective (i.e., insecure) computer systems
and attaching them to networks, they're going to be necessary.
However, that is straying from ham radio.
I believe that hams running gateways must institute filtering and other
mechanisms in order to protect their licenses. Each is responsible for
that individually because it can't be done centrally, as in a single
firewall for the entire 44 net, since it isn't singly attached to the
rest of the network world. How much filtering (etc) is required at
each gateway is up to that gateway's operator, if only for the reason
that content and operator restrictions vary from country to country.
And that's what makes it fun, right?
- Brian
------------------------------
Date: Tue, 15 Apr 97 10:28:48 MDT
From: Martin W Freiss <freiss.pad@sni.de>
Subject: What Protocole traceroute use ?
Mike Bilow wrote:
> I agree with Phil on this: ICMP generally need not be restricted. There is
a
> vulnerability to a denial-of-service attack, but even this is really only an
> issue if the firewall does not protect against fake source IP addresses. In
> particular, frames claiming to be originated from the local subnet should
not
> be routed through the firewall destined for the local subnet, but this is a
> protection applicable to all IP frames and not specific to ICMP.
There are a lot of buggy IP stacks out there that freely accept ICMP host
unreachable and redirect messages. No need to fake anything to mount
a DOS attack or to see if you can reroute traffic.
Not to mention "ping of death".
<paranoia>
Aside from that, it is a rather simple coding matter to use ICMP
messages to open a covert channel, bypassing the firewall.
</paranoia>
-Martin
--
Martin Freiss, MF194 | freiss.pad@sni.de | http://www.rmi.de/~marvin
Siemens Nixdorf, CC IT Networks, Firewalls & Network Security
Half male, half e-mail.
------------------------------
End of TCP-Group Digest V97 #39
******************************
You can send your message for this bulletin
to: tcp-group@pa2aga on .AMPR.ORG-net
or: tcpaga@pi8vnw.#zh2.nld.eu on BBS-net
------
NOT TO: pa2aga@pa2aga or pa2aga@pi8vnw.#zh2.nld.eu PLEASE!!
It will get posted automatically within a few days
Read previous mail | Read next mail
| |
