Enclosed is my open reply to Compaq/Microcom: --------------------------------------------- At 10:31 AM 14/08/98 -0500, you wrote: > >The Compaq 6000 has no security problems. Yes it does. >The problem is that ALEC does not know how to deny telnet to specific Ip >addresses. No. The problem is that your username/password login process is poorly written. Did you read this? If so, please read it over 10 times, and then have someone else rephrase it for you: > The denial of service problem is this: there is no timeout when typing >in the username and password - from what I have seen, a user can make a >telnet connection to the MNC or PRI card and leave the connection open >indefinitely. If the user only has one connection open, then this is not >problem. However, the system will not accept more than 4 telnet connections >at one time. Thus, a malicious user/hacker could open 4 telnet connections >to either (or both cards) and deny all legitimate connections to the card. > The other problem is that the system does not close the connection after >a specified number of invalid login attempts. A program such as 'crack' > If I want to make 4 subsequent telnet sessions to the Login/Username prompt, it will stop the rightful owner from accessing the machine unless he powercycles it. That is a denial of Service. Also, the login and password attempts should time out if no data is received over a certain amount of time. Futhermore, after 3 incorrect password entries, it should reset and cause the person to re-telnet the box. This is standard with the Ascend Max product we use, as well as, the Computone Powerrack we use. >That was the solution we gave him, he did not like it. Maybe it's too much >work. No, maybe its not fixing the real issue which is an improperly written Login/Password interface. >The above mentioned solution should be standard policy for any system >administrator, that has internet access on his network. Not only for the >6000, but any server's or any >communication equipment that is on a given network. You're 100% wrong. >Jim Kerwin >COMPAQ - NAC >Networking Support Engineer >*E-Mail: James.Kerwinat_private Jim.. Rather than cause futher embarassment to your company, please get engineering to put some modifications in the next kernel release. Shiloh Costa Senior System Administrator MDI Internet Inc.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:12:41 PDT