Re: (ASCEND) [rootshell] Security Bulletin #16 (fwd)

To: tqbf@secnet.com
Subject: Re: (ASCEND) [rootshell] Security Bulletin #16 (fwd)
From: Joe Pautler <pautler@grasshopper.cit.buffalo.edu>
Date: Thu, 19 Mar 1998 16:50:32 -0500 (EST)
Cc: ascend-users@bungi.com
In-Reply-To: <19980319173321.1964.qmail@joshua.enteract.com> from "tqbf@secnet.com" at Mar 19, 98 05:33:21 pm
Sender: owner-ascend-users@max.bungi.com

tqbf@secnet.com wrote:
]
]There is a problem with this. Employing IP-address-based ACLs for SNMP
]does make it harder to get SNMP values from a MIB, but it does not make it
]any harder to set them.

Of course it does.  As you said, you have to spoof the IP address, which
you otherwise wouldn't have to do.... that "makes it harder".



]You can take steps to make this work; employ inside/outside spoof
]protection filters at the perimiter of your network,

Actually, we have this type of filter on every one of our router
interfaces.  If the packet coming in does not have a source address
which is appropriate, it goes no further.  And our Internet link
drops everything coming in that has a source address that is in our
address space.

___________________________________________________________________________
Joe Pautler, E.I.T.                             University at Buffalo
CIT/OSS Network Engineering                     224 Computing Center
http://www.oss.buffalo.edu/~pautler             (716) 645-3536

++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd:	<http://www.nealis.net/ascend/faq>

References:

Re: (ASCEND) [rootshell] Security Bulletin #16 (fwd)

From: tqbf@secnet.com

Prev by Date: Re: (ASCEND) filter port 139
Next by Date: (ASCEND) Radius + Generic Win95 DUN client
Prev by thread: Re: (ASCEND) [rootshell] Security Bulletin #16 (fwd)
Next by thread: Re: (ASCEND) [rootshell] Security Bulletin #16 (fwd)
Index(es):
- Main
- Thread