On Sun, 24 Mar 1996, Andrew Molitor wrote:
> a spanning tree protocol, I suspect you could persude it to do naughty
> things if you fed it some bad BPDUs.
If you have only one way in/out of the protected net, spanning tree isn't
(necessarily, depending on the internal structure) needed. You could
probably launch a denial of service attack based on STA, otherwise, and
trick the bridge into disabling a/the valid route out. You *might* be
able to trick a bridge into forwarding packets that were
internal-internal source and destination, by getting a MAC address into
the "outside" side of the table, but IMHO, internal addresses should be
static rather than learned if you are looking for security.
> Lastly, bridges are inherently a little leakier than Unix boxes,
> ARP goes right through 'em, as does anything non-IP, unless you take
> steps. I don't know how the firewall-bridge guys handle IPX et al,
> but they *might* flow right through.
Most bridges these days (at least the ones I've worked with) can perform
basic filtering, and I think it is a fair assumption to make that any
DOS-loaded firewall "firmware" is going to employ such filtering as well.
IPX should only "go right through" if the person configuring the bridge
has set it to bridge IPX. Comes back to the basic step 1 of determining
if your stance is "permit what is not explicitly denied" vs. "deny what
is not explicitly permitted." If you can't get that far, you probably
shouldn't be playing with firewalls. This isn't really much of an
argument against using DOS as a load mechanism, which, as I recall, is
where this thread started.
just my $.02.