Re: Opinions: To NAT or not to NAT?
From: SysAdm (willgeeza_at_yahoo.com)
Date: 06/22/04
- Next message: Michael A. Covington: "Re: ~~~Opinions: To NAT or not to NAT?"
- Previous message: admin too: "Cisco VPN Client pass-through a Netscreen?"
- In reply to: Alec: "Re: Opinions: To NAT or not to NAT?"
- Next in thread: Alec: "Re: Opinions: To NAT or not to NAT?"
- Reply: Alec: "Re: Opinions: To NAT or not to NAT?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 21 Jun 2004 15:36:07 -0700
"Alec" <alec@nospam.com> wrote in message news:<EqEBc.7778$Tx3.3582@newssvr24.news.prodigy.com>...
> "Greg Hennessy" <me@privacy.net> wrote in message
> news:gtldd01vd2346370ofrrrkp02q3jepu7rt@4ax.com...
> > On 21 Jun 2004 04:23:03 -0700, willgeeza@yahoo.com (SysAdm) wrote:
> >
> > >"Alec" <alec@nospam.com> wrote in message
> news:<Q8qBc.2076$vU2.593@newssvr23.news.prodigy.com>...
>
<snip>
I had a sniff back through my mail archives and came up with this:
http://lists.netsys.com/pipermail/full-disclosure/2003-July/006402.html
and its more formal version:
http://www.securitytracker.com/alerts/2003/Jul/1007148.html
My memory was a bit out, it was July last year when I got this, not
november. The disclosure noted that:
"...brodcast frames carrying protocols like SNA, IPX CDP, CDP, VST ...
will all happily cross the firewall in and out without being checked
nor logged, possibly reaching remote parts of corporate networks. Even
the zone used for managing the firewall is not immune !!!"
What I found far worse than this was the author went on to note that:
"...Not only is the flaw infamous, but here is the worst:
NetScreen devised a FAKE, dummy screening option: "bypass non-IP
traffic". Toggling it on or off has absolutely no effect..."
But anyhow - rather than copy paste, it would be worth reading the
article. It seems that the testing was carried out using Bridge mode.
This was where my memory failed me with my reference to fail-open.
The exploit patently didnt even need the firewall module to fail in
order to be effective.
So, fail-open or not it seems that the flaw was even more serious.
Again, this was last July. I am uncertain at this time whether the
bug has been rectified. According to the report, Netscreen were
notified.
ps. hope I wasnt rude...
SysAdm
- Next message: Michael A. Covington: "Re: ~~~Opinions: To NAT or not to NAT?"
- Previous message: admin too: "Cisco VPN Client pass-through a Netscreen?"
- In reply to: Alec: "Re: Opinions: To NAT or not to NAT?"
- Next in thread: Alec: "Re: Opinions: To NAT or not to NAT?"
- Reply: Alec: "Re: Opinions: To NAT or not to NAT?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
