Bugtraq mailing list archives

Re: NYT Article this morning

From: rfb () lehman com (Rick Busdiecker)
Date: Tue, 24 Jan 1995 13:12:44 -0500

    Date: Mon, 23 Jan 1995 15:37:36 -0500
    From: "Perry E. Metzger" <perry () imsi com>

    Christopher Klaus says:
    > To fully fix the problem will require all the vendors to come out with
    > kernel patches to make the TCP sequence numbering difficult to
    > guess,

    Even that is insufficient, actually. If you see a packet going by, you
    can still try to jam the works up and steal the connection anyway. The
    only permanent solution is a cryptographic security protocol for the
    net -- one is actually in the works now in the IETF.

Morris' paper concludes with this sentence:

  A workable solution might be to only trust hosts on the same
  physical network, and modify gateways to reject packets that claim
  to, but do not in fact, come from directly connected networks.

Your statement as to the ``only permanent solution'' suggests that you
disagree with Morris' hypothesis.

Do you believe that it's possible to use the techniques that are being
discussed to get past a ``two wire'' firewall which ignores internal
packets originating from the external wire?

                        Rick

Current thread:

Re: NYT Article this morning der Mouse (Jan 23)
- <Possible follow-ups>
- Re: NYT Article this morning Perry E. Metzger (Jan 23)
  - Re: NYT Article this morning Rick Busdiecker (Jan 24)
    - Re: NYT Article this morning Perry E. Metzger (Jan 24)
- Re: NYT Article this morning David Kovar (Jan 23)
  - Re: NYT Article this morning Valdis.Kletnieks () vt edu (Jan 24)