Re: Opinions: To NAT or not to NAT?
From: SysAdm (willgeeza_at_yahoo.com)
Date: 21 Jun 2004 15:36:07 -0700
"Alec" <email@example.com> wrote in message news:<EqEBc.7778$Tx3.firstname.lastname@example.org>...
> "Greg Hennessy" <email@example.com> wrote in message
> > On 21 Jun 2004 04:23:03 -0700, firstname.lastname@example.org (SysAdm) wrote:
> > >"Alec" <email@example.com> wrote in message
I had a sniff back through my mail archives and came up with this:
and its more formal version:
My memory was a bit out, it was July last year when I got this, not
november. The disclosure noted that:
"...brodcast frames carrying protocols like SNA, IPX CDP, CDP, VST ...
will all happily cross the firewall in and out without being checked
nor logged, possibly reaching remote parts of corporate networks. Even
the zone used for managing the firewall is not immune !!!"
What I found far worse than this was the author went on to note that:
"...Not only is the flaw infamous, but here is the worst:
NetScreen devised a FAKE, dummy screening option: "bypass non-IP
traffic". Toggling it on or off has absolutely no effect..."
But anyhow - rather than copy paste, it would be worth reading the
article. It seems that the testing was carried out using Bridge mode.
This was where my memory failed me with my reference to fail-open.
The exploit patently didnt even need the firewall module to fail in
order to be effective.
So, fail-open or not it seems that the flaw was even more serious.
Again, this was last July. I am uncertain at this time whether the
bug has been rectified. According to the report, Netscreen were
ps. hope I wasnt rude...