Re: Router filtering not enough! (Was: Re: CERT advisory )

Jonathan M. Bresler (jmb@kryten.Atinc.COM)
Thu, 26 Jan 1995 15:27:18 -0500 (EST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Brian J. Murrell: "Re: Router filtering not enough! (Was: Re: CERT advisory )"
Previous message: Jonathan M. Bresler: "Re: Router filtering not enough! (Was: Re: CERT advisory )"
In reply to: Dave Mitchell: "Re: Router filtering not enough! (Was: Re: CERT advisory )"

On Thu, 26 Jan 1995, Dave Mitchell wrote:

> "Jonathan M. Bresler" <jmb@kryten.Atinc.COM> writes:
> >On Tue, 24 Jan 1995, Jim Duncan wrote:
> >
> >> > As has been pointed out, only network or
> >> > transport-level encryption will entirely block these attacks.
> >> 
> >> That's correct.  That and teach people the difference between identification
> >> and authentication.
> >
> >	a filtering router is enough to prevent this attack from being 
> >used from "the outside".
> 
> This is all well and good as long as there is a simple "inside"/"outside"
> distinction. I am in this happy situation at the moment, and I have a filter
> between my dept and the main campus which rejects external packets claiming
> an internal src IP address. HOWEVER, I am likely to come under political
> pressure soon to allow R-protocol, NFS, etc to a machine on the other
> side of this filter. At which point my filter is virtually useless.

	"political pressure soon to allow R-protocol, NFS, etc"   those 
reasons fall under the rubric of non-technical considerations.  i do not 
belittle them; frequently the techical fix is easy, but the political 
situation is intolerable.  can you 'spoof' the sources of the pressure?  
place their data on a machine that is outside, but appears to them to be 
inside.  remember, provide management with a couple of typos to correct 
and they wont notice the elephant in the corner of the office.  if 
necessary draw an integral on the elephant side---guarantees management 
blindness :)  if necessary, you can even refer to the integral "as you 
can see here, the integral of packets density over time, using a poincare 
(;)))))) distribution of arrival times.......)  you know how to do this.

> So I think its true to say that as a generalisation, encryption *is*
> the only way to block attacks.

	sounds, good.  but the other is available now, with little or no 
implementation problems.  a quick effective measure, till something 
better is developed.

jmb

Jonathan M. Bresler  jmb@kryten.atinc.com	| Analysis & Technology, Inc.  
						| 2341 Jeff Davis Hwy
play go.					| Arlington, VA 22202
ride bike. hack FreeBSD.--ah the good life	| 703-418-2800 x346

Next message: Brian J. Murrell: "Re: Router filtering not enough! (Was: Re: CERT advisory )"
Previous message: Jonathan M. Bresler: "Re: Router filtering not enough! (Was: Re: CERT advisory )"
In reply to: Dave Mitchell: "Re: Router filtering not enough! (Was: Re: CERT advisory )"