Firewall Wizards mailing list archives

Re: Dangers from SNA?

From: joe_dauncey () uk ibm com
Date: Tue, 13 Jul 1999 18:26:33 +0100



Juergen,

If your bypass is purely layer two (ie. token-ring/ethernet and no IP) then
you will be secure from an IP point of view because IP runs on layer three,
and you can't play tricks on a protocol that isn't there. However, you
still have the vulnerability with SNA traffic. There are ways you can spoof
MAC addresses, so you want to evaluate that. Unfortunately I don't know too
much about SNA security. You also need some way of ensuring that no one
enables layer three on the network devices.

If you use DLSw you can treat it like IP through the firewall, however, the
firewall is only going to be looking at the IP session characteristics, and
not the SNA characteristics or contents. You also need to ensure that the
firewall does not cause too much timelag, or else you will end up having
dropped sessions all the time if the keepalives can't get through.

You also want to ask about how the SNA is being sent over the WAN. He may
already be using DLSw, as the only alternative I know is a split-bridge.
Whatever way it is being passed, the devices are quite probably IP
addressable, and so you need to remove all traces of IP before the layer
three element is removed.

Hope this helps,

Joe

Telecomms Specialist                                        Opinions mine
own, etc.......
AT&T Global Network Services
Firewalls, IP & Opennet Services
Security Analysis - Network Design Team


Juergen.Nieveler () gecits-eu com on 07/13/99 08:50:01 AM

Please respond to Juergen.Nieveler () gecits-eu com

To:   firewall-wizards () nfr net
cc:    (bcc: Joe Dauncey/UK/IBM)
Subject:  Dangers from SNA?







Hi all!

A client of mine wants to secure his WAN with a firewall, but pass all
SNA-traffic through a bypass, because firewalls don´t work to well with
SNA. In Effect, all SNA-Users (the IBM Net, for example) would connect
directly to his  network. Are there any dangers from this approach, besides
it being bloody ludicrous to bypass a firewall at all?

Would repacking the SNA in IP with DLSW add more security, or just help to
put it through the firewall?

Thanks in advance for any insights!

Mit freundlichen Gruessen - Yours sincerely

Juergen Nieveler
CompuNet Koeln
System Engineering
Industriestrasse 161e, 50999 Koeln, Germany
Phone: ++49(0)2236/608161, Fax: ++49(0)2236/9651220,
Internet: Juergen.Nieveler @ gecits-eu.com

Current thread:

Dangers from SNA? Juergen . Nieveler (Jul 13)
- Re: Dangers from SNA? Ted Doty (Jul 13)
- <Possible follow-ups>
- Re: Dangers from SNA? joe_dauncey (Jul 14)
- Re: Dangers from SNA? kevans (Jul 14)