Security Basics mailing list archives

RE: Cisco Workaround

From: Tim Donahue <TDonahue () haynesconstruction com>
Date: Fri, 25 Jul 2003 15:43:14 -0400

Hmmm.... Why don't you open up the protocols from the addresses that you
need.  Isn't this a standard firewalling technique?

Plus I believe that they said that there are new versions of IOS that are
not vulnerable to this attack, which means that you can upgrade IOS and
resolve the issute all together.

Tim Donahue

-----Original Message-----
From: Ghaith Nasrawi [mailto:libero () aucegypt edu] 
Sent: Friday, July 25, 2003 11:33 AM
Cc: firewalls () securityfocus com; security-basics () securityfocus com
Subject: RE: Cisco Workaround

Well, my question is; what the hell if I was using any of 
these protocols?? Didn't cisco think of that?? They should 
have suggested a more decent solution.

./Ghaith
===============

Today is the tomorrow you worried about yesterday

-----Original Message-----
From: jamesworld () intelligencia com 
[mailto:jamesworld () intelligencia com]

Sent: Wednesday, July 23, 2003 6:48 PM
To: Alvaro Gordon-Escobar
Cc: firewalls () securityfocus com; security-basics () securityfocus com
Subject: Re: Cisco Workaround

Alvaro,

No.  The protocol blocked by the access-list is protocol 53 
not protocol

TCP or protocol UDP port 53.

If you need further info, let me know,

-James

At 09:15 7/23/2003, Alvaro Gordon-Escobar wrote:

will this access list modification prevent my internal DNS

server from

updates to it self from my telco's DNS server?

access-list 101 deny 53 any any
access-list 101 deny 55 any any
access-list 101 deny 77 any any
access-list 101 deny 103 any any
!--- insert any other previously applied ACL entries here
!--- you must permit other protocols through to allow normal
!--- traffic -- previously defined permit lists will work
!--- or you may use the permit ip any any shown here access-list 101 
permit ip any any

Thanks in advance

~alvaro Escobar

-------------------------------------------------------------

----------
----

-------------------------------------------------------------

----------
-----


--------------------------------------------------------------
----------
---
--------------------------------------------------------------
----------
----


--------------------------------------------------------------
-------------
--------------------------------------------------------------
--------------


---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

RE: Cisco Workaround, (continued)
- - RE: Cisco Workaround Byrne Ghavalas (Jul 24)
  - Re: Cisco Workaround john (Jul 24)
  - Re: Cisco Workaround joshua sahala (Jul 24)
  - Re: Cisco Workaround Jac (Jul 24)
- Re: Cisco Workaround Luis Enrique Londono (Jul 23)
- Re: Cisco Workaround bryan_khoo (Jul 24)
- RE: Cisco Workaround dave kleiman (Jul 24)
- Re: Cisco Workaround igenge2 (Jul 24)
- Re: Cisco Workaround Stephane Nasdrovisky (Jul 24)
- RE: Cisco Workaround Jofre, Sebastian (Jul 24)
- RE: Cisco Workaround Tim Donahue (Jul 28)
  - RE: Cisco Workaround Ghaith Nasrawi (Jul 28)
- RE: Cisco Workaround Noonan, Wesley (Jul 28)
- RE: Cisco Workaround Martin, Olivier (Jul 28)
  - Re: Cisco Workaround joshua sahala (Jul 28)
- RE: Cisco Workaround Ghaith Nasrawi (Jul 29)
  - Re: Cisco Workaround stephane nasdrovisky (Jul 29)
    - Re: Cisco Workaround Jac (Jul 30)
    - RE: Cisco Workaround Todd Mitchell - lists (Jul 30)
    - Re: Cisco Workaround James Fields (Jul 30)
    - Re: Cisco Workaround Jac (Jul 31)

(Thread continues...)