Device: Allied Telesyn AT-AR220e, Firmware 1.08a RC14, combined DSL/Cable-Router, NAT, Firewall, HTML-Config This Device is equipped with the function 'Virtual Server', which is a portmapper WAN -> LAN. The 'Virtual Server'-functionality can be disabled completely and single portmappings can be disabled each, too. Problem: If a portmapping is set-up, e.g. Status; Global Port; Internal Port; Internal IP; Protocol disabled; 80; 80; 192.168.0.1; TCP AND the Virtual-Server-Feature is enabled, there is no check for the enabled/disabled setup of each of the single portmappings. They still remain active. Impact: It is possible to gain access to mapped services, which may be left unsecured. Solution: Unused mappings should be deleted from the list-of-portmappings. If there are no used mappings at all, the Virtual-Server-feature should be disabled. Vendor-Status: Informed on 2001-14-05 Regards, Axel P.S.: first posting ;-) -- de: GRAFX & DESIGN marketing Michael-Imhof-Str. 17 86609 Donauwörth Tel.: +49 (0)906-705706-11 Fax: +49 (0)906-705705-12 Mobile: +49 (0)171-9321435 info@grafx-design.de http://www.grafx-design.de
This archive was generated by hypermail 2b30 : Wed May 16 2001 - 01:25:54 PDT