Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: DMZ config question

From: Chris Lonvick <clonvick () cisco com>
Date: Fri, 10 Apr 1998 22:31:48 -0500
Hi,

Oops...  This does show a point I missed (probably one of many).

Any smidgen of intelligence in a network device may be exploitable.  

From that, I'd add to the list something like:


Harden each device - In the devices that have intelligence,
(Unix, NT, etc.), and in your network devices (router, switch, hub)
reduce the interfaces that are available (telnet, ftp, SNMP, finger, 
echo/ip, timestamp/ip, discard/ip, bootp, etc.) to only those 
service interfaces that you will want to present to the untrusted 
network.

This may mean eliminating the ftp service from the web server which 
may mean that it is difficult to update the content.  Bummer - your
choice; safe or easy.  Extrapolating from what Adam wrote, I'd 
suggest you know (or find) the entry points to each device and
decide it they're safe or not.  "Safe" being a term relative to your
context.  If they're just not needed, eliminate them.

I'm sure there are many more types of malicious attacks on switches
that I'll be learning about in the coming months...  ;-)  Thanks for
the pointer.

Good luck,
Chris


---various stuff deleted for brevity, except---
At 03:57 PM 4/10/98 -0400, Adam Shostack wrote:

Eric Vyncke wrote:
| At 08:56 10/04/98 -0400, Adam Shostack wrote:
| >    I hate to spread FUD, but last summer at Black Hat Briefings,
| >I asked a panel which included Mudge, route, Artimage, and a number of
| >other smart hackers about the next big type of attack, now that buffer
| >overflows and misconfigurations are commonplace.
| >
| >    There were a couple of confident replies that switching
| >technology only works until you subject it to malicious attack, and
| >then all sorts of interesting things can be made to happen.
| >
| >    This jibes with my experience, which is that technologies not
| >designed for security don't provide security, and that technologies
| >not designed to resist malicious attacks don't resist malicious
| >attacks.
| >
| >    So, if you choose to rely on a switch, ask your vendor for
| >their test results from when they maliciously attacked it.  Adjust
| >your trust levels accordingly.  And deploy IPsec.
| >
| >Adam
Previous By Date Next
Previous By Thread Next

Current thread: