Bugtraq mailing list archives

Re: Router filtering not enough! (Was: Re: CERT advisory )

From: jmb () kryten Atinc COM (Jonathan M. Bresler)
Date: Thu, 26 Jan 1995 15:27:18 -0500 (EST)


On Thu, 26 Jan 1995, Dave Mitchell wrote:

"Jonathan M. Bresler" <jmb () kryten Atinc COM> writes:

On Tue, 24 Jan 1995, Jim Duncan wrote:

As has been pointed out, only network or
transport-level encryption will entirely block these attacks.


That's correct.  That and teach people the difference between identification
and authentication.


    a filtering router is enough to prevent this attack from being 
used from "the outside".


This is all well and good as long as there is a simple "inside"/"outside"
distinction. I am in this happy situation at the moment, and I have a filter
between my dept and the main campus which rejects external packets claiming
an internal src IP address. HOWEVER, I am likely to come under political
pressure soon to allow R-protocol, NFS, etc to a machine on the other
side of this filter. At which point my filter is virtually useless.


        "political pressure soon to allow R-protocol, NFS, etc"   those 
reasons fall under the rubric of non-technical considerations.  i do not 
belittle them; frequently the techical fix is easy, but the political 
situation is intolerable.  can you 'spoof' the sources of the pressure?  
place their data on a machine that is outside, but appears to them to be 
inside.  remember, provide management with a couple of typos to correct 
and they wont notice the elephant in the corner of the office.  if 
necessary draw an integral on the elephant side---guarantees management 
blindness:)  if necessary, you can even refer to the integral "as you 
can see here, the integral of packets density over time, using a poincare 
(;)))))) distribution of arrival times.......)  you know how to do this.

So I think its true to say that as a generalisation, encryption *is*
the only way to block attacks.


        sounds, good.  but the other is available now, with little or no 
implementation problems.  a quick effective measure, till something 
better is developed.

jmb

Jonathan M. Bresler  jmb () kryten atinc com    | Analysis & Technology, Inc.  
                                                | 2341 Jeff Davis Hwy
play go.                                        | Arlington, VA 22202
ride bike. hack FreeBSD.--ah the good life      | 703-418-2800 x346

Current thread:

Re: Router filtering not enough! (Was: Re: CERT advisory ) Dave Mitchell (Jan 26)
- Re: Router filtering not enough! (Was: Re: CERT advisory ) Jonathan M. Bresler (Jan 26)
- <Possible follow-ups>
- Re: Router filtering not enough! (Was: Re: CERT advisory ) Jon Peatfield (Jan 26)
  - Re: Router filtering not enough! (Was: Re: CERT advisory ) Paul Traina (Jan 26)
    - Would an encrypted tunnel solve the SeqNo guessing attack? Bennett Todd (Jan 26)
    - Re: Would an encrypted tunnel solve the SeqNo guessing attack? Mark (Jan 26)
    - Loaded system no protection. Leo Bicknell (Jan 27)
    - Re: Would an encrypted tunnel solve the SeqNo guessing attack? Marc Tamsky (Jan 27)
    - Re: Would an encrypted tunnel solve the SeqNo guessing attack? Paul Robinson (Jan 27)
    - Very Confused!! Mohamad A Khatoun (Jan 27)
    - Notes from Tsutomo's Talk Michael B. Dilger (Jan 26)
    - Re: Router filtering not enough! (Was: Re: CERT advisory ) Pete Shipley (Jan 26)

(Thread continues...)