nanog mailing list archives
Re: Level3 routing issues?
From: alex () yuriev com
Date: Mon, 27 Jan 2003 19:26:57 -0500 (EST)
Deny everything. Allow outbound port 80Bzzt! You just let in an ActiveX exploit. Or Javascript. Or....
And I have successfully blocked everything other than AcriveX or JavaScript or whatever else.
Allow mail server to 25Bzzt! You just let in a new Outlook exploit.
It is talking only to your own server. Presumably you already made sure that your Outlook by itself does not do anything funny?
If you need AIM, allow AIM from workstations to oscar.aol.com and whatever the name of the other mahine.Bzzt! You just let in an AIM exploit. That's assuming that you even *know* what the current name of the other machine is this time around - this laptop has had 6 IP addresses in as many hours. Remember there's a reason why 'talk george () his-box whatever dom' isn't as common anymore....
Oscar.aol.com and whatever the name of another .aol.com machine it is are the names associated with services that AIM connects to.
I am failing to see a problem.Well.. other than you let a box that wants to talk on the VPN get outside access to 3 things that are *KNOWN* vectors of malware which could then attack the VPN side of things, no, there's no problem here.
That's why the policy on that box that wants to talk to the secure network over VPN is to drop all but the traffic to/from gateway VPN client connects to on the floor. It is being done. CheckPoint, for example, manages to manage policy on the client not to contradict the policy of the site. Why dont others do it is beyond me. Alex
Current thread:
- Re: Level3 routing issues?, (continued)
- Re: Level3 routing issues? Christopher L. Morrow (Jan 27)
- Re: Level3 routing issues? Valdis . Kletnieks (Jan 27)
- Re: Level3 routing issues? alex (Jan 27)
- Re: Level3 routing issues? Valdis . Kletnieks (Jan 27)
- Re: Level3 routing issues? alex (Jan 27)
- Re: Level3 routing issues? Simon Lockhart (Jan 27)
- Re: Level3 routing issues? alex (Jan 27)
- Re: Level3 routing issues? Simon Lockhart (Jan 27)
- Re: Level3 routing issues? alex (Jan 27)
- Re: Level3 routing issues? Valdis . Kletnieks (Jan 27)
- Re: Level3 routing issues? alex (Jan 27)
- Re: Level3 routing issues? David Howe (Jan 28)
- VPN clients and security models alex (Jan 28)
- Re: VPN clients and security models Valdis . Kletnieks (Jan 28)
- Re: VPN clients and security models David Howe (Jan 28)
- Re: Level3 routing issues? Iljitsch van Beijnum (Jan 26)
- Re: Level3 routing issues? Robert A. Hayden (Jan 25)
- Re: Level3 routing issues? Jack Bates (Jan 25)
- Re: Level3 routing issues? Daniel Senie (Jan 25)
- Re: Level3 routing issues? Jared Mauch (Jan 25)
- Re: Level3 routing issues? Avleen Vig (Jan 25)