Firewall Wizards mailing list archives

RE: Subject: Gauntlet Rule Interpretation

From: ark () eltex ru
Date: Fri, 15 Feb 2002 13:54:09 +0300

-----BEGIN PGP SIGNED MESSAGE-----

nuqneH,

a question: do snmp application gateways (there was one in Gauntlet, afair?)
protect from that vulnerabilities?

P.S. i'd NEVER use rules like those listed, looks damn insecure.

"R. DuFresne" <dufresne () sysinfo com> said :


CERTS advisory seemed more specific:

"http://www.cert.org/advisories/CA-2002-03.html";>CERT Advisory
CA-2002-03 Multiple Vulnerabilities in Many Implementations of the Simple
Network Management Protocol (SNMP)

Hope that fills in the blanks.

Thanks,

Ron DuFresne


On Wed, 13 Feb 2002, Zbonski, David wrote:

I am not intimately familiar with Gauntlet but I can read, too.  And I agree
with your statement that the rule, with no specific blocking of SNMP (in
another rule), would allow the traffic from the source to the destination.
And while we're talking about blocking SNMP - SANS released a vague alert
saying that SNMP was dangerous.  But they also included a statement saying
that UDP 1993 was dangerous to Cisco's as well.  That was news to me.

David Z

-Message: 9
-From: "Johann van Duyn" <Johann_van_Duyn () bat com>
-To: firewall-wizards () nfr net
-Date: Wed, 13 Feb 2002 15:59:31 +0200
-Subject: [fw-wiz] Gauntlet Rule Interpretation
-
-
-
-Hi there...
-
-I am arguing with our network manager regarding the interpretation of
-Gauntlet (on BSD Unix) rulesets. My knowledge of Gauntlet is not very deep,
-but I can read, and I am sure that I am interpreting the rules correctly.
-
-The ruleset says NOTHING specific about SNMP traffic, either by proxy name
-or by port number.
-
However, some of our rules look like this:

=A0 =A0 =A0 =A0 authenIP: permit-forward -if ef1 -proto * -srcaddr
a.b.c.d:255.255.255.255 -dstaddr w.x.y.z:255.255.255.255 -srcport *
-dstport *
=A0 =A0 =A0 =A0 authenIP: permit-forward -if exp0 -proto * -dstaddr
a.b.c.d:255.255.255.255 -srcaddr w.x.y.z:255.255.255.255 -dstport *
-srcport *

Surely such a rule would let SNMP traffic from a.b.c.d to w.x.y.z and
vice-versa? Or am I missing something here?
<DELETED>


                                     _     _  _  _  _      _  _
 {::} {::} {::}  CU in Hell          _| o |_ | | _|| |   / _||_|   |_ |_ |_
 (##) (##) (##)        /Arkan#iD    |_  o  _||_| _||_| /   _|  | o |_||_||_|
 [||] [||] [||]            Do i believe in Bible? Hell,man,i've seen one!

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1i

iQCVAwUBPGzo0KH/mIJW9LeBAQG0rAP/QCcCNF+RmApbSWwvMcCtdc393lZCi47L
tkZlbCyATL6gg4OKURAH5yNnz9aQSQvfr+8pXyDNC24LQLqZIPUDKy4QmIaMJiLw
jnvJm/kRev5DMC0IU0gVG5l8+z+WGW9nXJ/wSOpsg489b9PvATttFzOeYXT2tY5T
z09lm5rZZQ4=
=anER
-----END PGP SIGNATURE-----
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

RE: Subject: Gauntlet Rule Interpretation Zbonski, David (Feb 13)
- RE: Subject: Gauntlet Rule Interpretation R. DuFresne (Feb 14)
- <Possible follow-ups>
- RE: Subject: Gauntlet Rule Interpretation ark (Feb 15)