Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Level3 routing issues?

  • From: alex
  • Date: Mon Jan 27 19:28:57 2003


> > Deny everything.
> > Allow outbound port 80
> Bzzt! You just let in an ActiveX exploit. Or Javascript. Or....

And I have successfully blocked everything other than AcriveX or JavaScript
or whatever else.

> > Allow mail server to 25
> 
> Bzzt! You just let in a new Outlook exploit.

It is talking only to your own server. Presumably you already made sure that
your Outlook by itself does not do anything funny?

> > If you need AIM, allow AIM from workstations to oscar.aol.com and whatever
> > the name of the other mahine.
> 
> Bzzt! You just let in an AIM exploit.  That's assuming that you even *know*
> what the current name of the other machine is this time around - this
> laptop has had 6 IP addresses in as many hours.  Remember there's a reason
> why 'talk george@his-box.whatever.dom' isn't as common anymore....

Oscar.aol.com and whatever the name of another .aol.com machine it is
are the names associated with services that AIM connects to. 

> > I am failing to see a problem.
> 
> Well.. other than you let a box that wants to talk on the VPN get outside
> access to 3 things that are *KNOWN* vectors of malware which could then
> attack the VPN side of things, no, there's no problem here.

That's why the policy on that box that wants to talk to the secure network
over VPN is to drop all but the traffic to/from gateway VPN client connects
to on the floor. 

It is being done. CheckPoint, for example, manages to manage policy on the
client not to contradict the policy of the site. Why dont others do it is
beyond me.

Alex





Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.