Re: [fw-wiz] Firewalls and 802.1q trunking
From: R. DuFresne (dufresne@sysinfo.com)
Date: 11/27/02
- Next message: David Klein: "RE: [fw-wiz] Problem getting vpn to work between netscreen 208 an d cisco 1721"
- Previous message: Pearsall, Jim: "Re: [fw-wiz] Firewalls and 802.1q trunking"
- In reply to: David Pick: "Re: [fw-wiz] Firewalls and 802.1q trunking"
- Next in thread: Pearsall, Jim: "Re: [fw-wiz] Firewalls and 802.1q trunking"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "R. DuFresne" <dufresne@sysinfo.com> To: David Pick <d.m.pick@qmul.ac.uk> Date: Wed Nov 27 13:55:51 2002
On Wed, 27 Nov 2002, David Pick wrote:
>
> > My concern is that the "fan-out" boxes are typically run-of-the-mill
> > switches, like Cisco Catalysts, that probably have been design without
> > any security aspirations. I wouldn't be surprised if those switches
> > could be attacked and tricked into leaking packets between VLANs.
>
> A valid concern. My attitude is simple:
> * If the switches are secure enough to keep VLANs seperated for
> normal traffic then they're secure enough to use as interfaces
> to your firewall
But, normal traffic is not the only issue here, it's the abnormal traffic
and abusive-normal traffic that is going to affect how well they handle
issues in a security related context, yes?
Documentation[0] and the undocumented *features* are relevant in this
context as documentation leads to understanding the keys and weaknesses to
known configuration standards, and undocumented, but included weaknesses
such as open admin back-channels:
SANS NewsBites Vol. 4 Num. 48
...
--22 November 2002 Alcatel Vulnerability
CERT/CC has issued a warning about a back door in Alcatel Operating
System version 5.1.1. Customers are advised to upgrade their software.
http://www.zdnet.com.au/newstech/security/story/0,2000024985,20270140,00.htm
http://www.cert.org/advisories/CA-2002-32.html
...
...
From: Jacek Lipkowski <sq5bpf@andra.com.pl>
Subject: Undocumented account vulnerability in Avaya P550R/P580/P880/P882
switches
Date: Tue, 15 Oct 2002 16:10:26 +0200 (CEST)
To: bugtraq@securityfocus.com
Undocumented account vulnerability in Avaya P550R/P580/P880/P882 switches
...
...
From: "COULOMBE, TROY" <TROCOU@SAFECO.com>
Subject: Catalyst 4000
Date: Mon, 20 May 2002 09:38:25 -0700
To: "'bugtraq@securityfocus.com'" <bugtraq@securityfocus.com>
Issue:
Unicast packets flooded out switch ports they shouldn't be.
Platform:
Cisco Catalyst 4000
OS:
5.5.5; 6.3.5; 7.1.2; probably all others
...
Switches of all types, as well as many other devices employed in security
infrastructures, are basically, drop and play *feature-rich*[1]
*feature-fresh*[1] *appliances*, <to relate back to another thread...>,
documented <often tested at> at *best optimal* operating
conditions/settings, shipped at *most optimal functionality defaults* 'on'
configurations, pushing the responsibility of security back at the enduser
<so much for 'top down' perspectivists>. Which those endusers seem to
-=inherently feel more warm fuzzies=- about placing into critically
hostile exposed environments. Lack of *research* often driving the newer
technology tools/toys deployment, the *critical* nature of which, often
inhibits proper auditing and maintainance/patching[2]. A perspective
perhaps more critically paranoid of these new devices and technologies is
the safer approach. It's no wonder it can be pondered that perhaps
companies/endusers "get the security they deserve". Too much hurry and
rush to get there, and then an awful lot of surprise once you do...
Thanks,
Ron DuFresne
[0] documentation being an ongoing subprocess, from initial R&D *feature*
creep, to going over the vendors documents, to documenting how your tools
and toys work and protect one another and are configured to do so.
[1] similar, but different, rich implying *most*, fresh implying *latest
and greatest*, both together imply a *do it all*, even poorly, then rather
*do something<s>* right reaction to consumer demand
[2] nobody really thinks upgrades/patches/fixes are really importantly
formost in the security mindset do they:
http://www.rtfm.com/upgrade.pdf
http://www.rtfm.com/upgrade.ps
SANS NewsBites Vol. 4 Num. 48 :
--19 & 20 November 2002 Study Shows Many Haven't Patched OpenSSH
Vulnerability
A recent study showed that 30% of systems running OpenSSH remained
unpatched even after the Slapper worm illuminated the OpenSSH
vulnerability. Speculations about why the problem has not been fixed:
(1) lack of full time administrators, (2) stringent deadlines that
don't allow time for installing patches and (3) server maintenance
responsibility being given to people who have little security training.
It is also possible that some systems weren't patched because of
fears the patch might have an adverse effect on the system.
http://news.com.com/2100-1001-966398.html
http://www.newscientist.com/news/news.jsp?id=ns99993090
[Editor's Note (Murray): This report is exceptionally well done.
An ounce of it is worth a pound of intuition or two pounds of good
intentions.]
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
-- Johnny Hart
testing, only testing, and damn good at it too!
- Next message: David Klein: "RE: [fw-wiz] Problem getting vpn to work between netscreen 208 an d cisco 1721"
- Previous message: Pearsall, Jim: "Re: [fw-wiz] Firewalls and 802.1q trunking"
- In reply to: David Pick: "Re: [fw-wiz] Firewalls and 802.1q trunking"
- Next in thread: Pearsall, Jim: "Re: [fw-wiz] Firewalls and 802.1q trunking"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
