[55356] in North American Network Operators' Group
Re: Level3 routing issues?
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Mon Jan 27 16:37:04 2003
To: alex@yuriev.com
Cc: nanog@merit.edu
In-Reply-To: Your message of "Mon, 27 Jan 2003 16:00:51 EST."
<Pine.LNX.4.10.10301271556420.30768-100000@s1.yuriev.com>
From: Valdis.Kletnieks@vt.edu
Date: Mon, 27 Jan 2003 16:31:24 -0500
Errors-To: owner-nanog-outgoing@merit.edu
--==_Exmh_1067362736P
Content-Type: text/plain; charset=us-ascii
On Mon, 27 Jan 2003 16:00:51 EST, alex@yuriev.com said:
> It is very easy.
>
> Deny everything.
> Allow outbound port 80
Bzzt! You just let in an ActiveX exploit. Or Javascript. Or....
> Allow mail server to 25
Bzzt! You just let in a new Outlook exploit.
> If you need AIM, allow AIM from workstations to oscar.aol.com and whatever
> the name of the other mahine.
Bzzt! You just let in an AIM exploit. That's assuming that you even *know*
what the current name of the other machine is this time around - this
laptop has had 6 IP addresses in as many hours. Remember there's a reason
why 'talk george@his-box.whatever.dom' isn't as common anymore....
> I am failing to see a problem.
Well.. other than you let a box that wants to talk on the VPN get outside
access to 3 things that are *KNOWN* vectors of malware which could then
attack the VPN side of things, no, there's no problem here.
--==_Exmh_1067362736P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQE+NaUscC3lWbTT17ARAtSvAKCzTH2Am/RwoogCi9la3c4lVh9cwwCdGaZj
M2c7o10zVbYkm7CsWnAPrIg=
=s5vl
-----END PGP SIGNATURE-----
--==_Exmh_1067362736P--
