[857] in bugtraq
Re[2]: Router filtering not enough! (Was: Re: CERT advisory
daemon@ATHENA.MIT.EDU (Nayfield, Rod)
Tue Jan 31 12:34:20 1995
Date: Tue, 31 Jan 95 11:08:48 EST
From: "Nayfield, Rod" <rnayfield@mail.iconnet.com>
To: danny@miriworld.its.unimelb.EDU.AU
Cc: firewalls@GreatCircle.COM, bugtraq@fc.net
One other thing to note is that many sites are set up without any
internal routing protocols; imagine a cisco 7000 with 5 ethernets and
5 class C networks attached to the ethernets (and a serial out to the
rest of the Internet). If you were to somehow implement a MAC check
for the addresses, anything coming from the Internet or any of the
other 4 (local) C's will come from the router's MAC. If you trust a
machine on one of the other ethernets, you will have no way of telling
where the packet came from. If you implemented an access list which
denies the local addresses from coming in over the serial but lets
everything else in, you can be reasonably sure that a packet from a
local address is at least within your network and not from the
Internet.
