RE: Allowing scanning from home

[Steven Trewick <STrewick () joplings co uk>]

> but spoofing an IP addy is a very trivial task


While I would agree that it is entirely trivial to create
and send IP packets with arbitrary addresses, this is by no
means the same thing as being able to levarage IP "spoofing"
into a successful attack, particularly if TCP based 
protocols are involved (UDP is more trivial, but only if no
reply is required)

In any case, surely IP spoofing would not be an issue if all you 
are doing is running port scan tools against the network, it is 
only an issue if you are allowing inward connections from those 
particular IP addresses, and even then falls under the above 
caveats, EG it is very non trivial to mount a successful IP 
spoofing attack through a chain of routers, such as one might 
find between an employee's ISP and your own network border 
(unless you are running some horribly vulnerable UDP based service 
at your network border, in which case you are already screwed 
anyway)


Or have I misunderstood something ?






> -----Original Message-----
> From: xyberpix [mailto:xyberpix () xyberpix com]
> Sent: 30 October 2004 22:07
> To: Donald Voss
> Cc: ericaldrc51 () netscape net; Security Basics[List]
> Subject: Re: Allowing scanning from home
>
>
> I would say that a thorough inspection of the host network 
> that's going
> to be doing the scanning should be done. That's what we do at 
> our place,
> in regard to employee's and any itsec contractors that we have in. It
> may be an invasion of privacy, but spoofing an IP addy is a 
> very trivial
> task, and social engineering can lead to a world of wealth.
>
> Just my 2p's worth.
>
> xyberpix
>
> On Thu, 2004-10-28 at 21:33, Donald Voss wrote:
> > Eric,
> >
> > I'm not the group .. but my $.02.
> >
> > Policy, policy, policy, as in your company's.
> >
> > Satisfy that .. or decide one needs to be written and approved.
> >
> > Then .. a get out of jail card .. written .. by supervisor 
> on up if need 
> > be with details - names, tools,  - maybe a time period .. a 
> report, etc.
> > /don
> >
> >
> > ericaldrc51 () netscape net wrote:
> > > What's the group's consensus on allowing security staff 
> to scan the company's external interfaces from their home, to 
> get a true external assessment.  I personally don't agree 
> with this for audit and other reasons.  Just looking for some 
> other professional viewpoints.  Thx.
> > > __________________________________________________________________
> > > Switch to Netscape Internet Service.
> > > As low as $9.95 a month -- Sign up today at 
> http://isp.netscape.com/register
> > > Netscape. Just the Net You Need.
> > >
> > > New! Netscape Toolbar for Internet Explorer
> > > Search from anywhere on the Web and block those annoying pop-ups.
> > > Download now at http://channels.netscape.com/ns/search/install.jsp
> -- 
> For Security and Open Source news:
> http://xyberpix.demon.co.uk


The information contained in this e-mail is confidential and may be privileged, it is intended for the addressee only. 
If you have received this e-mail in error please delete it from your system. The statements and opinions expressed in 
this message are those of the author and do not necessarily reflect those of the company. Whilst Joplings Group 
operates an e-mail anti-virus program it does not accept responsibility for any damage whatsoever that is caused by 
viruses being passed.
joplings.co.uk