[794] in bugtraq
Re: Router filtering not enough! (Was: Re: CERT advisory )
daemon@ATHENA.MIT.EDU (Jonathan M. Bresler)
Thu Jan 26 18:45:03 1995
Date: Thu, 26 Jan 1995 15:27:18 -0500 (EST)
From: "Jonathan M. Bresler" <jmb@kryten.Atinc.COM>
To: Dave Mitchell <D.Mitchell@dcs.shef.ac.uk>
Cc: bugtraq@fc.net
In-Reply-To: <9501261009.AA01988@dcs.shef.ac.uk>
On Thu, 26 Jan 1995, Dave Mitchell wrote:
> "Jonathan M. Bresler" <jmb@kryten.Atinc.COM> writes:
> >On Tue, 24 Jan 1995, Jim Duncan wrote:
> >
> >> > As has been pointed out, only network or
> >> > transport-level encryption will entirely block these attacks.
> >>
> >> That's correct. That and teach people the difference between identification
> >> and authentication.
> >
> > a filtering router is enough to prevent this attack from being
> >used from "the outside".
>
> This is all well and good as long as there is a simple "inside"/"outside"
> distinction. I am in this happy situation at the moment, and I have a filter
> between my dept and the main campus which rejects external packets claiming
> an internal src IP address. HOWEVER, I am likely to come under political
> pressure soon to allow R-protocol, NFS, etc to a machine on the other
> side of this filter. At which point my filter is virtually useless.
"political pressure soon to allow R-protocol, NFS, etc" those
reasons fall under the rubric of non-technical considerations. i do not
belittle them; frequently the techical fix is easy, but the political
situation is intolerable. can you 'spoof' the sources of the pressure?
place their data on a machine that is outside, but appears to them to be
inside. remember, provide management with a couple of typos to correct
and they wont notice the elephant in the corner of the office. if
necessary draw an integral on the elephant side---guarantees management
blindness :) if necessary, you can even refer to the integral "as you
can see here, the integral of packets density over time, using a poincare
(;)))))) distribution of arrival times.......) you know how to do this.
> So I think its true to say that as a generalisation, encryption *is*
> the only way to block attacks.
sounds, good. but the other is available now, with little or no
implementation problems. a quick effective measure, till something
better is developed.
jmb
Jonathan M. Bresler jmb@kryten.atinc.com | Analysis & Technology, Inc.
| 2341 Jeff Davis Hwy
play go. | Arlington, VA 22202
ride bike. hack FreeBSD.--ah the good life | 703-418-2800 x346
