Firewall Wizards mailing list archives

Re: Dangers from SNA?

From: Ted Doty <ted () iss net>
Date: Tue, 13 Jul 1999 14:52:41 -0400

At 08:50 AM 7/13/99 +0100, Juergen.Nieveler () gecits-eu com wrote:

A client of mine wants to secure his WAN with a firewall, but pass all
SNA-traffic through a bypass, because firewalls don´t work to well with
SNA. In Effect, all SNA-Users (the IBM Net, for example) would connect
directly to his  network. Are there any dangers from this approach, besides
it being bloody ludicrous to bypass a firewall at all?


Given the prevalence of password sniffers and the lack of protection that
SNA provides against password attack, this would appear to be risky.  While
I haven't heard of anyone crafting custom SNA packets to do a spoofing
attack with captured passwords, the protocols are well documented.

Would repacking the SNA in IP with DLSW add more security, or just help to
put it through the firewall?


Might even make it easier to spoof.  Lots of people understand IP spoofing,
and adding encapsulated headers inside IP is much easier than crafting raw
packets themselves.  There are several packet editing tools available to
help with this.

- Ted

-----------------------------------------------------------------------
Ted Doty, Internet Security Systems          | Phone: +1 678 443-6000
6600 Peachtree Dunwoody Road, 300 Embassy Row | Fax:   +1 678 443-6479
Atlanta, GA 30328  USA                       | Web: http://www.iss.net
-----------------------------------------------------------------------
PGP key fingerprint: 362A EAC7 9E08 1689  FD0F E625 D525 E1BE

Current thread:

Dangers from SNA? Juergen . Nieveler (Jul 13)
- Re: Dangers from SNA? Ted Doty (Jul 13)
- <Possible follow-ups>
- Re: Dangers from SNA? joe_dauncey (Jul 14)
- Re: Dangers from SNA? kevans (Jul 14)