North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: Level3 routing issues?
- From: alex
- Date: Mon Jan 27 19:28:57 2003
> > Deny everything.
> > Allow outbound port 80
or whatever else.
> > Allow mail server to 25
> Bzzt! You just let in a new Outlook exploit.
It is talking only to your own server. Presumably you already made sure that
your Outlook by itself does not do anything funny?
> > If you need AIM, allow AIM from workstations to oscar.aol.com and whatever
> > the name of the other mahine.
> Bzzt! You just let in an AIM exploit. That's assuming that you even *know*
> what the current name of the other machine is this time around - this
> laptop has had 6 IP addresses in as many hours. Remember there's a reason
> why 'talk email@example.com' isn't as common anymore....
Oscar.aol.com and whatever the name of another .aol.com machine it is
are the names associated with services that AIM connects to.
> > I am failing to see a problem.
> Well.. other than you let a box that wants to talk on the VPN get outside
> access to 3 things that are *KNOWN* vectors of malware which could then
> attack the VPN side of things, no, there's no problem here.
That's why the policy on that box that wants to talk to the secure network
over VPN is to drop all but the traffic to/from gateway VPN client connects
to on the floor.
It is being done. CheckPoint, for example, manages to manage policy on the
client not to contradict the policy of the site. Why dont others do it is