At 00:25 30/04/98 -0400, Chris Brenton wrote: >-= ArkanoiD =- wrote: >> A question is: what non-IP protocols can be (and should be) firewalled? >"Should" is implementation specific, "can is a whole different story. > >IPX - filter RIPs and SAPs to control server access >You can control who can get to each server by blocking route and server >advertisements. This is not as clean as it may sound as you have a few limitations: > >1) You can not filter on a per client basis (at least not that I have seen) >2) Depending on the config, you can circumvent the filtering > >For example, let's say I have a client on network 1 and there are two servers on >network 2. I want the client to be able to access server A but not server B. While >I can filter out RIP/SAP so the client will not see the server, all the client has >to do is query server A for all known servers. This will tell me about server B and >allow me to connect up. To prevent this, I would have to hide server A&B from each >other, not a good thing in an NDS environment. Hmmm. Generally speaking, filtering RIP means no SAPs get passed for the filtered routes, but I guess you're talking about GNS (via server A) allowing access to a filtered service. Even if server A can deliver a GNS answer for server B (denied by a route filter), a packet-wise access list in the inbound interface should be able to cream off packets to the blocked server. But since IPX uses broadcasts to advertise network reachabilty, it is hard to hide specific reachability info from *specific* clients on a single broadcast domain. >AT - Filter Zone names and network ranges >Again, not the best security control as I must block full ranges, I can not block >individual clients. AT devices dynamically grab a unique address on startup. This >means that I can not block individual clients as I can not predict which address >they will use. Yes this can be preset, but it's way to easy to reset it. You can filter out specific zones and NBP 'services' using Cisco IOS, but you're correct, client address allocation is dynamic, which makes blocking specific machines hard. Is this any different from DHCP/BOOTP in IP? >NetBIOS - ???? >None that I know of beyond filtering out traffic to the multicast address >030000000001. This still is not cool as it would block all NEtBIOS/NEtBEUI traffic. >About the equivalent of just cutting the cable. You do get a bit of control if you >use scopes but this is way too easy to defeat. Or use NETBIOS name filtering to control access to servers. >Given the above descriptions, I guess IP is not all that insecure after all. ;) >> Some people ask me if i can let ipx through firewalls i build - i answer no >> just because i can't filter and monitor it properly and thus it will break the >> security policy.. > >Cisco does a pretty good job of filtering IP, IPX and AT. NetWare 4.1 includes a >utility called filtcfg that can be run from the server console. You need to enable >support through inetcfg first, but it does a pretty cool job of controlling traffic >in multi-NIC servers. If you have connections to other nets via links other than your 'outside' IP feed, you're on a slippery path anyway. Just because it isn't IP doesn't make it any safer or less safe. If you can't secure it, don't allow it. Dave Phelan +---------------------------------------------------------------+ | Dave Phelan dphelanat_private | | CCIE# 3590 http://freepages.pavilion.net/users/dphelan | | | | "I do not think an enormous permanent underclass is a | | very good thing to have if you're attempting to operate | | something that at least pretends sometimes to be a democracy."| | -- William Gibson. | +---------------------------------------------------------------+
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:58:26 PDT