Re: Dangers from SNA?

From: joe_daunceyat_private
Date: Tue Jul 13 1999 - 10:26:33 PDT

Next message: David Lang: "Re: The devil's in the details"

Previous message: Brian W. Laing: "RE: The devil's in the details"
Maybe in reply to: Juergen.Nieveler@gecits-eu.com: "Dangers from SNA?"
Next in thread: kevans@peco-energy.com: "Re: Dangers from SNA?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

--0__=1mOHL4d8VFam8KYIIyJoVpjn9ZhFsYYLfBX0DPDKCkgHRLsdGZOWE1Dz
Content-type: text/plain; charset=us-ascii
Content-Disposition: inline



Juergen,

If your bypass is purely layer two (ie. token-ring/ethernet and no IP) then
you will be secure from an IP point of view because IP runs on layer three,
and you can't play tricks on a protocol that isn't there. However, you
still have the vulnerability with SNA traffic. There are ways you can spoof
MAC addresses, so you want to evaluate that. Unfortunately I don't know too
much about SNA security. You also need some way of ensuring that no one
enables layer three on the network devices.

If you use DLSw you can treat it like IP through the firewall, however, the
firewall is only going to be looking at the IP session characteristics, and
not the SNA characteristics or contents. You also need to ensure that the
firewall does not cause too much timelag, or else you will end up having
dropped sessions all the time if the keepalives can't get through.

You also want to ask about how the SNA is being sent over the WAN. He may
already be using DLSw, as the only alternative I know is a split-bridge.
Whatever way it is being passed, the devices are quite probably IP
addressable, and so you need to remove all traces of IP before the layer
three element is removed.

Hope this helps,

Joe

Telecomms Specialist                                        Opinions mine
own, etc.......
AT&T Global Network Services
Firewalls, IP & Opennet Services
Security Analysis - Network Design Team


Juergen.Nieveler@gecits-eu.com on 07/13/99 08:50:01 AM

Please respond to Juergen.Nieveler@gecits-eu.com

To:   firewall-wizardsat_private
cc:    (bcc: Joe Dauncey/UK/IBM)
Subject:  Dangers from SNA?




--0__=1mOHL4d8VFam8KYIIyJoVpjn9ZhFsYYLfBX0DPDKCkgHRLsdGZOWE1Dz
Content-type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-transfer-encoding: quoted-printable







Hi all!

A client of mine wants to secure his WAN with a firewall, but pass all
SNA-traffic through a bypass, because firewalls don=B4t work to well wi=
th
SNA. In Effect, all SNA-Users (the IBM Net, for example) would connect
directly to his  network. Are there any dangers from this approach, bes=
ides
it being bloody ludicrous to bypass a firewall at all?

Would repacking the SNA in IP with DLSW add more security, or just help=
 to
put it through the firewall?

Thanks in advance for any insights!

Mit freundlichen Gruessen - Yours sincerely

Juergen Nieveler
CompuNet Koeln
System Engineering
Industriestrasse 161e, 50999 Koeln, Germany
Phone: ++49(0)2236/608161, Fax: ++49(0)2236/9651220,
Internet: Juergen.Nieveler @ gecits-eu.com



=

--0__=1mOHL4d8VFam8KYIIyJoVpjn9ZhFsYYLfBX0DPDKCkgHRLsdGZOWE1Dz--

Next message: David Lang: "Re: The devil's in the details"
Previous message: Brian W. Laing: "RE: The devil's in the details"
Maybe in reply to: Juergen.Nieveler@gecits-eu.com: "Dangers from SNA?"
Next in thread: kevans@peco-energy.com: "Re: Dangers from SNA?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:33:12 PDT