> On Sat, 25 Nov 1995, Brent Chapman wrote:
>
> > Every reasonable firewall I can think of is capable of meeting the
> > second condition above, for the network architectures used by most
> > sites. The question each individual site has to ask is, can they
> > meet the first condition above (i.e., can they say "we don't trust
> > anything beyond our perimeter", and actually get away with it).
> > Many (most?) sites can, some can't.
> Nick Simicich - njs @
scifi .
emi .
ne - replied with
> Nameservice usually seems to be a major exception. Everyone trusts
> nameservers by IP address to locate other machines. Hopefully only
> outside of their perimiter.
>
There's one other potential threat: NTP. It is feasable to perform a
denial of service attack on an HHA system by modifying the
time on the HHA server via NTP. I'm not an expert on NTP, so please
no flames, but I've seen sites that perform time updates without
using keys (and relying on IP Address), which would leave them vulnerable
to this type of attack. Of course, this would work for any application that
relies on accurate/syncronised clocks, but we can't all be stratus-1 servers
can we ;-)
--------------------------------------
Darren Harter
Project Manager (Guards and Firewalls)
Communications-Electronics Security Group
PO BOX 144
Cheltenham
Glos
GL52 5AJ
England
Follow-Ups:
|
|
