Re: non-IP firewalls

[David Phelan <dphelan () pavilion co uk>]

At 00:25 30/04/98 -0400, Chris Brenton wrote:
> -= ArkanoiD =- wrote:
> > A question is: what non-IP protocols can be (and should be) firewalled?
> "Should" is implementation specific, "can is a whole different story.
>
> IPX - filter RIPs and SAPs to control server access
> You can control who can get to each server by blocking route and server
> advertisements. This is not as clean as it may sound as you have a few
limitations:
> 1) You can not filter on a per client basis (at least not that I have seen)
> 2) Depending on the config, you can circumvent the filtering
>
> For example, let's say I have a client on network 1 and there are two
servers on
> network 2. I want the client to be able to access server A but not server
B. While
> I can filter out RIP/SAP so the client will not see the server, all the
client has
> to do is query server A for all known servers. This will tell me about
server B and
> allow me to connect up. To prevent this, I would have to hide server A&B
from each
> other, not a good thing in an NDS environment.

Hmmm. Generally speaking, filtering RIP means no SAPs get passed for the
filtered routes, but I guess you're talking about GNS (via server A)
allowing access to a filtered service. Even if server A can deliver a GNS
answer for server B (denied by a route filter), a packet-wise access list
in the inbound interface should be able to cream off packets to the blocked
server.

But since IPX uses broadcasts to advertise network reachabilty, it is hard
to hide specific reachability info from *specific* clients on a single
broadcast domain.

> AT - Filter Zone names and network ranges
> Again, not the best security control as I must block full ranges, I can
not block
> individual clients. AT devices dynamically grab a unique address on
startup. This
> means that I can not block individual clients as I can not predict which
address
> they will use. Yes this can be preset, but it's way to easy to reset it.

You can filter out specific zones and NBP 'services' using Cisco IOS, but
you're correct, client address allocation is dynamic, which makes blocking
specific machines hard. Is this any different from DHCP/BOOTP in IP?

> NetBIOS - ????
> None that I know of beyond filtering out traffic to the multicast address
> 030000000001. This still is not cool as it would block all NEtBIOS/NEtBEUI
traffic.
> About the equivalent of just cutting the cable. You do get a bit of
control if you
> use scopes but this is way too easy to defeat.

Or use NETBIOS name filtering to control access to servers.

> Given the above descriptions, I guess IP is not all that insecure after
all. ;)


> > Some people ask me if i can let ipx through firewalls i build - i answer no
> > just because i can't filter and monitor it properly and thus it will
break the
> > security policy..
>
> Cisco does a pretty good job of filtering IP, IPX and AT. NetWare 4.1
includes a
> utility called filtcfg that can be run from the server console. You need
to enable
> support through inetcfg first, but it does a pretty cool job of
controlling traffic
> in multi-NIC servers.

If you have connections to other nets via links other than your 'outside'
IP feed, you're on a slippery path anyway. Just because it isn't IP doesn't
make it any safer or less safe. If you can't secure it, don't allow it.

Dave Phelan

+---------------------------------------------------------------+
| Dave Phelan                         dphelan () pavilion co uk    |
| CCIE# 3590        http://freepages.pavilion.net/users/dphelan |
|                                                               |
| "I do not think an enormous permanent underclass is a         |
| very good thing to have if you're attempting to operate       |
| something that at least pretends sometimes to be a democracy."|
|                                            -- William Gibson. |
+---------------------------------------------------------------+