Re: Opinions: To NAT or not to NAT?

From: SysAdm (willgeeza_at_yahoo.com)
Date: 06/22/04


Date: 21 Jun 2004 15:36:07 -0700


"Alec" <alec@nospam.com> wrote in message news:<EqEBc.7778$Tx3.3582@newssvr24.news.prodigy.com>...
> "Greg Hennessy" <me@privacy.net> wrote in message
> news:gtldd01vd2346370ofrrrkp02q3jepu7rt@4ax.com...
> > On 21 Jun 2004 04:23:03 -0700, willgeeza@yahoo.com (SysAdm) wrote:
> >
> > >"Alec" <alec@nospam.com> wrote in message
> news:<Q8qBc.2076$vU2.593@newssvr23.news.prodigy.com>...
>
<snip>
I had a sniff back through my mail archives and came up with this:
http://lists.netsys.com/pipermail/full-disclosure/2003-July/006402.html

and its more formal version:
http://www.securitytracker.com/alerts/2003/Jul/1007148.html

My memory was a bit out, it was July last year when I got this, not
november. The disclosure noted that:
"...brodcast frames carrying protocols like SNA, IPX CDP, CDP, VST ...
will all happily cross the firewall in and out without being checked
nor logged, possibly reaching remote parts of corporate networks. Even
the zone used for managing the firewall is not immune !!!"

What I found far worse than this was the author went on to note that:

"...Not only is the flaw infamous, but here is the worst:
NetScreen devised a FAKE, dummy screening option: "bypass non-IP
traffic". Toggling it on or off has absolutely no effect..."

But anyhow - rather than copy paste, it would be worth reading the
article. It seems that the testing was carried out using Bridge mode.
 This was where my memory failed me with my reference to fail-open.
The exploit patently didnt even need the firewall module to fail in
order to be effective.

So, fail-open or not it seems that the flaw was even more serious.
Again, this was last July. I am uncertain at this time whether the
bug has been rectified. According to the report, Netscreen were
notified.

ps. hope I wasnt rude...

SysAdm



Relevant Pages

  • Re: System information
    ... You need to reduce reliance on virtual memory by adding ... >> is not enough for most applications today (running on a Windows system.) ... >> understand and utilize good passwords. ... >> Why you should use a computer firewall.. ...
    (microsoft.public.windowsxp.perform_maintain)
  • Re: [opensuse] installing openSUSE on an older pc
    ... it seems Linux in general is going the way of M$, when you come to linux forums ... I picked them up as junk-ware from the Salvation Army thrift store for less than a meal for the family at McD's would cost. ... WYSISYG, and a large, capable desktop manager is going to need more memory. ... My firewall, mail-hub, file-server: all headless. ...
    (SuSE)
  • Re: Memories?
    ... > see the benefit from this 1/4 of 1MB increase in system memory, ... you may want to update your windows patches and/or hardware drivers ... You have a video card that allows you to see on ... You should at least turn on the built in firewall. ...
    (microsoft.public.windowsxp.perform_maintain)
  • Re: BSOD minidumps... HELP!
    ... You can rely on the Windows Firewall and do not have ... Requested data was not in memory. ... RAM) or incompatible software (including remote control and antivirus ... Any suggestion for an alternate firewall that has ...
    (microsoft.public.windowsxp.perform_maintain)
  • Re: BSOD minidumps... HELP!
    ... Enquire, plan and execute ... You can rely on the Windows Firewall and do not have ... Requested data was not in memory. ...
    (microsoft.public.windowsxp.perform_maintain)