[11963] in bugtraq
Re: NAI Security Advisory - Windows IP source routing
daemon@ATHENA.MIT.EDU (Ronan Waide)
Wed Sep 22 14:42:09 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <14312.38458.914706.425730@spike.scope.ie>
Date: Wed, 22 Sep 1999 09:41:30 +0100
Reply-To: Ronan Waide <waider@SCOPE.IE>
From: Ronan Waide <waider@SCOPE.IE>
X-To: Holger Heimann <hh@it-sec.de>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <006b01bf0403$b9e3f2c0$0300a8c0@ibh.de>
On September 21, hh@it-sec.de said:
> > Windows TCP/IP stacks configured to disable IP forwarding or IP
> > source routing, allow specific source routed datagrams to route
> > between interfaces. Effectively, the Windows TCP/IP stack can
> > not be configured to disable IP datagrams passing between
> > networks if two network cards have been installed.
>
> Any knowledge whether Firewall/Packet-Filtering Products based on the
> Windows TCP/IP stack are concerned and under what circumstances?
>
> thanks, hh
Being similarily concerned, I checked with a friend of mine who works
for an Internet security firm. His response, roughly:
It's only an issue if your Windows TCP/IP stack is out in the open. If
it's behind a router, you can turn off source routing at the router -
and, in fact, most ISPs probably do this already. Additionally, at
least one NT-based firewall vendor claims that their stack 'precedes'
the NT stack in the chain of traffic, so the broken stack should be
protected that way.
He also thinks that current Cisco routers come with source-routed
packets disabled by default.
Cheers,
Waider.
--
waider@scope.ie / Small Planet Ltd. / +353-1-8303455 / +353-1-8300888 (Fax)
"Life sucks. Get a helmet."
- Denis Leary, as quoted by Susan Witterick on "It never rains, it POURS."
