-----------------------------------------------------------------
This mail bounced back when sent to <firewalls @
GreatCircle .
COM>.
Trying again. Sorry if you somehow got this twice.
-----------------------------------------------------------------
Its seems like a lot of software these days base their license
enforcement management on the license server package called flexlm.
As I understand it (don't take my word for it), it works like this
1) A host on the net runs a flexlm-server with the appropriate
licensefile. The licenses are for that specific host and locked
to the host id of that host.
2) An application running on any host on the whole Internet and
needing a license ask the license server for a license. If the
the license server accepts, it forks and the child exec an
application specific license program on the license host. The
application needing the license and the license program keep
an open IP connection until one of them die.
3) Summary. On the license host will run the license server and
an application specific program. On the application host will
run the application program (and what ever else).
4) Nightmare. The flexlm server runs default as root, so if you
want to attack some sites, this might be an excellent entry if
the programmers of flexlm didn't get the gets() and other holes
right.
Now for my questions.
Q1) What kind of traffic does this generate ? (I now of tcpdump and etherfind,
but perhaps somebody already have done it)
Q2) What security implication does this traffic have ?
Q3) What kind of license nonsense traffic should be allowed through a firewall ?
Q4) Does necessary license traffic open for anything else like open for
interception of either sessions and/or communication ?
Q5) Should the license server program run in a restricted environment (Do yo
trust the producer of flexlm and/or do you trust the provider of you application
needing the flexlm which often provide you with an additional copy of flexlm ?)
The imply for the application specific software needed on the license host.
Basicly, what can harm me ?
I really don't want to run a license server where I can't read the source code.
Now for something else.
Recently I asked our supplier of software to MD5 verify to me the software
he had send on floppies recently, but he refused. The company involved was
Cooper & Chyan Technology (boohhhhhhhhhhhhh !).
Am I paranoid if I want to be able to prove where software on my systems
(incl. virus) comes from ? Just in case of any law suit. What is the
general requirement (except from not doing anything) ?
Comments and perhaps some answers would be appreciated.
regards
Peter Maersk-Moller
---
Technical Manager E-mail maersk @
ghdsign .
dk
Peter Maersk-Moller GSM +45 40164125
-------
GHDsign Phone +45 44441482
Bakkesvinget 12 Fax +45 44490044
DK-2880 Bagsvaerd BBS +45 44440940
DENMARK
\|||/
(. .)
-----------------------------ooO-(_)-Ooo---------------------------------
__ _
/ / (_)__ __ ____ __
/ /__/ / _ \/ // /\ \/ / . . . t h e c h o i c e o f a
/____/_/_//_/\___/ /_/\_\ G N U g e n e r a t i o n . . .
-------------------------------------------------------------------------
|| ||
ooO Ooo
|
|
