On Tue, 30 Jul 1996, Peter da Silva wrote:
> I don't know about a *hole*, but it does mean that the security of the
> firewall function is dependent of the security of your PDC. I have some
> misgivings about this, though at least if they snoop the OWF password
> it doesn't mean they'll be able to use it to get through the firewall
> since I can't think of any way to trick the firewall into passing that
> through unscathed.
Beyond that, what if the primary goes away? Can any of the NT fans shed
some light on selection and authentication of the BDCs, or even what makes
a PDC authentic? Failover due to router and/or route compromise is
certainly an area of concern for me. Esp. in a multiple master domain
strategy such as the one I've seen bandied about here.
Also, are the yes/no conversations in the clear? We've already seen NFS
and FTP data corrupted in transit in the lab, and most of us aren't
switching all over the place yet, I'd hazard to guess.
This also makes me wonder about denial of service attacks with either
unsigned or invalid "no" responses.
Lastly, is the account information on the firewall for proxy usage, or is
it also for things like Administrator, firewall administration, and access
to NT services? Then I'd address the denial of service and primary/backup
domain controller issue in a lot more depth than "I don't see any issues".
:)
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
proberts @
clark .
net which may have no basis whatsoever in fact."
PSB#9280
Follow-Ups:
References:
|
|
