Bugtraq mailing list archives
Re: Router filtering not enough! (Was: Re: CERT advisory )
From: jmb () kryten Atinc COM (Jonathan M. Bresler)
Date: Thu, 26 Jan 1995 15:27:18 -0500 (EST)
On Thu, 26 Jan 1995, Dave Mitchell wrote:
"Jonathan M. Bresler" <jmb () kryten Atinc COM> writes:On Tue, 24 Jan 1995, Jim Duncan wrote:As has been pointed out, only network or transport-level encryption will entirely block these attacks.That's correct. That and teach people the difference between identification and authentication.a filtering router is enough to prevent this attack from being used from "the outside".This is all well and good as long as there is a simple "inside"/"outside" distinction. I am in this happy situation at the moment, and I have a filter between my dept and the main campus which rejects external packets claiming an internal src IP address. HOWEVER, I am likely to come under political pressure soon to allow R-protocol, NFS, etc to a machine on the other side of this filter. At which point my filter is virtually useless.
"political pressure soon to allow R-protocol, NFS, etc" those reasons fall under the rubric of non-technical considerations. i do not belittle them; frequently the techical fix is easy, but the political situation is intolerable. can you 'spoof' the sources of the pressure? place their data on a machine that is outside, but appears to them to be inside. remember, provide management with a couple of typos to correct and they wont notice the elephant in the corner of the office. if necessary draw an integral on the elephant side---guarantees management blindness:) if necessary, you can even refer to the integral "as you can see here, the integral of packets density over time, using a poincare (;)))))) distribution of arrival times.......) you know how to do this.
So I think its true to say that as a generalisation, encryption *is* the only way to block attacks.
sounds, good. but the other is available now, with little or no implementation problems. a quick effective measure, till something better is developed. jmb Jonathan M. Bresler jmb () kryten atinc com | Analysis & Technology, Inc. | 2341 Jeff Davis Hwy play go. | Arlington, VA 22202 ride bike. hack FreeBSD.--ah the good life | 703-418-2800 x346
Current thread:
- Re: Router filtering not enough! (Was: Re: CERT advisory ) Dave Mitchell (Jan 26)
- Re: Router filtering not enough! (Was: Re: CERT advisory ) Jonathan M. Bresler (Jan 26)
- <Possible follow-ups>
- Re: Router filtering not enough! (Was: Re: CERT advisory ) Jon Peatfield (Jan 26)
- Re: Router filtering not enough! (Was: Re: CERT advisory ) Paul Traina (Jan 26)
- Would an encrypted tunnel solve the SeqNo guessing attack? Bennett Todd (Jan 26)
- Re: Would an encrypted tunnel solve the SeqNo guessing attack? Mark (Jan 26)
- Loaded system no protection. Leo Bicknell (Jan 27)
- Re: Would an encrypted tunnel solve the SeqNo guessing attack? Marc Tamsky (Jan 27)
- Re: Would an encrypted tunnel solve the SeqNo guessing attack? Paul Robinson (Jan 27)
- Very Confused!! Mohamad A Khatoun (Jan 27)
- Re: Router filtering not enough! (Was: Re: CERT advisory ) Paul Traina (Jan 26)
- Notes from Tsutomo's Talk Michael B. Dilger (Jan 26)
- Re: Router filtering not enough! (Was: Re: CERT advisory ) Pete Shipley (Jan 26)