> To: dbsbanke @
sg (Baey Chin Cheng), lmeyer @
> Cc: firewalls @
> Subject: Re: your mail
> In similar terms - the breach would be hideously impossible:
> 1. When you dial into the ISP, the host will generate a dynamic IP address
> for your use during that session. Each time you dial in you will be given
> another IP address from the ISP's pool which could number in the hundreds.
Well, some ISP's do this. Others use static addresses for you
machine. Also, the original mail didn't say whether this involved
PC's connected by modem to an ISP, or a bunch of PC's on a LAN with
some kind of larger connection to the ISP.
> 2. The hacker has to know you are dialed in to begin a successful attack. -
No, they could be doing a sweep with something like SATAN, ISS,
> 3. Out of the box Windows 3.1 has none of the "server" options mentioned.
True, but out of the box Windows 3.1 doesn't have any TCP/IP software
at all. Most of the newer TCP/IP software has these options.
Windows for Workgroups (what ships on machines today),
Windows 95 (what's shipping real soon), and Windows
NT/Workstation also have these functions out of the box.
> Questions to ask would include questions relating to the security of the
> ISP's system and the policies regarding their employees etc. How many IP
> addresses are allocated? Does the ISP allocate static IP addresses?
Some ISP's are pretty good about security. Most are horendous.
Even if they're pretty good, and even if they have dynamic addressing,
you're still not safe from a scanning tool like SATAN.
Christopher J. Calabrese
Network Security Architect
Novell Information Services & Technology, Florham Park, NJ