Firewall Wizards mailing list archives
Re: Dangers from SNA?
From: joe_dauncey () uk ibm com
Date: Tue, 13 Jul 1999 18:26:33 +0100
Juergen, If your bypass is purely layer two (ie. token-ring/ethernet and no IP) then you will be secure from an IP point of view because IP runs on layer three, and you can't play tricks on a protocol that isn't there. However, you still have the vulnerability with SNA traffic. There are ways you can spoof MAC addresses, so you want to evaluate that. Unfortunately I don't know too much about SNA security. You also need some way of ensuring that no one enables layer three on the network devices. If you use DLSw you can treat it like IP through the firewall, however, the firewall is only going to be looking at the IP session characteristics, and not the SNA characteristics or contents. You also need to ensure that the firewall does not cause too much timelag, or else you will end up having dropped sessions all the time if the keepalives can't get through. You also want to ask about how the SNA is being sent over the WAN. He may already be using DLSw, as the only alternative I know is a split-bridge. Whatever way it is being passed, the devices are quite probably IP addressable, and so you need to remove all traces of IP before the layer three element is removed. Hope this helps, Joe Telecomms Specialist Opinions mine own, etc....... AT&T Global Network Services Firewalls, IP & Opennet Services Security Analysis - Network Design Team Juergen.Nieveler () gecits-eu com on 07/13/99 08:50:01 AM Please respond to Juergen.Nieveler () gecits-eu com To: firewall-wizards () nfr net cc: (bcc: Joe Dauncey/UK/IBM) Subject: Dangers from SNA?
Hi all! A client of mine wants to secure his WAN with a firewall, but pass all SNA-traffic through a bypass, because firewalls donĀ“t work to well with SNA. In Effect, all SNA-Users (the IBM Net, for example) would connect directly to his network. Are there any dangers from this approach, besides it being bloody ludicrous to bypass a firewall at all? Would repacking the SNA in IP with DLSW add more security, or just help to put it through the firewall? Thanks in advance for any insights! Mit freundlichen Gruessen - Yours sincerely Juergen Nieveler CompuNet Koeln System Engineering Industriestrasse 161e, 50999 Koeln, Germany Phone: ++49(0)2236/608161, Fax: ++49(0)2236/9651220, Internet: Juergen.Nieveler @ gecits-eu.com
Current thread:
- Dangers from SNA? Juergen . Nieveler (Jul 13)
- Re: Dangers from SNA? Ted Doty (Jul 13)
- <Possible follow-ups>
- Re: Dangers from SNA? joe_dauncey (Jul 14)
- Re: Dangers from SNA? kevans (Jul 14)