Re: non-IP firewalls

From: David Phelan (dphelanat_private)
Date: Wed May 06 1998 - 14:26:23 PDT

  • Next message: Bennett Todd: "Inward telnet from insecure clients (was Re: Security Related Issues)"

    At 00:25 30/04/98 -0400, Chris Brenton wrote:
    >-= ArkanoiD =- wrote:
    >> A question is: what non-IP protocols can be (and should be) firewalled?
    >"Should" is implementation specific, "can is a whole different story.
    >IPX - filter RIPs and SAPs to control server access
    >You can control who can get to each server by blocking route and server
    >advertisements. This is not as clean as it may sound as you have a few
    >1) You can not filter on a per client basis (at least not that I have seen)
    >2) Depending on the config, you can circumvent the filtering
    >For example, let's say I have a client on network 1 and there are two
    servers on
    >network 2. I want the client to be able to access server A but not server
    B. While
    >I can filter out RIP/SAP so the client will not see the server, all the
    client has
    >to do is query server A for all known servers. This will tell me about
    server B and
    >allow me to connect up. To prevent this, I would have to hide server A&B
    from each
    >other, not a good thing in an NDS environment.
    Hmmm. Generally speaking, filtering RIP means no SAPs get passed for the
    filtered routes, but I guess you're talking about GNS (via server A)
    allowing access to a filtered service. Even if server A can deliver a GNS
    answer for server B (denied by a route filter), a packet-wise access list
    in the inbound interface should be able to cream off packets to the blocked
    But since IPX uses broadcasts to advertise network reachabilty, it is hard
    to hide specific reachability info from *specific* clients on a single
    broadcast domain.
    >AT - Filter Zone names and network ranges
    >Again, not the best security control as I must block full ranges, I can
    not block
    >individual clients. AT devices dynamically grab a unique address on
    startup. This
    >means that I can not block individual clients as I can not predict which
    >they will use. Yes this can be preset, but it's way to easy to reset it.
    You can filter out specific zones and NBP 'services' using Cisco IOS, but
    you're correct, client address allocation is dynamic, which makes blocking
    specific machines hard. Is this any different from DHCP/BOOTP in IP?
    >NetBIOS - ????
    >None that I know of beyond filtering out traffic to the multicast address
    >030000000001. This still is not cool as it would block all NEtBIOS/NEtBEUI
    >About the equivalent of just cutting the cable. You do get a bit of
    control if you
    >use scopes but this is way too easy to defeat.
    Or use NETBIOS name filtering to control access to servers.
    >Given the above descriptions, I guess IP is not all that insecure after
    all. ;)
    >> Some people ask me if i can let ipx through firewalls i build - i answer no
    >> just because i can't filter and monitor it properly and thus it will
    break the
    >> security policy..
    >Cisco does a pretty good job of filtering IP, IPX and AT. NetWare 4.1
    includes a
    >utility called filtcfg that can be run from the server console. You need
    to enable
    >support through inetcfg first, but it does a pretty cool job of
    controlling traffic
    >in multi-NIC servers.
    If you have connections to other nets via links other than your 'outside'
    IP feed, you're on a slippery path anyway. Just because it isn't IP doesn't
    make it any safer or less safe. If you can't secure it, don't allow it.
    Dave Phelan
    | Dave Phelan                         dphelanat_private    |
    | CCIE# 3590 |
    |                                                               |
    | "I do not think an enormous permanent underclass is a         |
    | very good thing to have if you're attempting to operate       |
    | something that at least pretends sometimes to be a democracy."|
    |                                            -- William Gibson. |

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:58:26 PDT