>>Watch out for IPGATEWAYs. If you run MacIP encapsulation or IPX encapsulation
>>on that access server, you will effectively be bypassing any firewalling of
>>Unscreened IP packets can then pass into your corporate net using the other
>>protocols as transport.
>From: Mark Saltzman on Thu, 3 Aug, 1995 9:03 AM
>Subject: appletalk and ipx dangers?
>To: firewalls @
>Does anyone see any danger in allowing ipx and appletalk traffic to be
>routed through my firewall?
Well, that is both true and untrue, isn't it? I suppose if the IP gateway
that users connect to at dial-in time runs ON the firewall machine, then
users who use this service might be able to use this mechanism to bypass
Users from the Internet wouldn't be able to, though, since the router to
the internet wouldn't have to route IPX/Apletalk.
One thing to be aware of is that if there is an IP-gateway running inside
the firewall in any Appletalk zone then a user would be able to change his
setup at home to get his IP address from that one instead of the one
running in the unsafe zone. That of course would give him unlimited access
to the internal network and be entirely unsafe!
Gartnervang 29 Roskilde, DK