[783] in bugtraq
Re: Router filtering not enough! (Was: Re: CERT advisory )
daemon@ATHENA.MIT.EDU (Dave Mitchell)
Thu Jan 26 07:11:11 1995
Date: Thu, 26 Jan 95 10:09:13 GMT
From: Dave Mitchell <D.Mitchell@dcs.shef.ac.uk>
To: bugtraq@fc.net
"Jonathan M. Bresler" <jmb@kryten.Atinc.COM> writes:
>On Tue, 24 Jan 1995, Jim Duncan wrote:
>
>> > As has been pointed out, only network or
>> > transport-level encryption will entirely block these attacks.
>>
>> That's correct. That and teach people the difference between identification
>> and authentication.
>
> a filtering router is enough to prevent this attack from being
>used from "the outside".
This is all well and good as long as there is a simple "inside"/"outside"
distinction. I am in this happy situation at the moment, and I have a filter
between my dept and the main campus which rejects external packets claiming
an internal src IP address. HOWEVER, I am likely to come under political
pressure soon to allow R-protocol, NFS, etc to a machine on the other
side of this filter. At which point my filter is virtually useless.
So I think its true to say that as a generalisation, encryption *is*
the only way to block attacks.
Dave.
* David Mitchell, Systems Administrator, email: D.Mitchell@dcs.shef.ac.uk
* Dept. Computer Science, Sheffield Uni. phone: +44 114-282-5573
* 211 Portobello St, Sheffield S1 4DP, UK. fax: +44 114-278-0972
*
* Standards (n). Battle insignia or tribal totems
