> > (input filtering on port 1 == output filtering on port 2) holds true
> > for all traffic
> > that is going *through* a 2-port router. It is not true for traffic *to*
> > or *from* the router, e.g., telnet to the router to configure it,
> > routing protocols, ICMP, etc.
>
> Not when you add IP source routing options to the equation.
Naively: How do IP source routing options figure into this?
(I hadn't considered source routing; I believe that what I said holds
true without the source routing option turned on in the packets and
regardless of whether source routing is enabled or disabled in the
router. If someone configures an outbound-only filter on the ethernet
port [of an ethernet/serial router] that blocks telnet, then telnet
sessions could still be established with the router through the serial
interface; and if outbound telnet packets are blocked on both
interfaces [and the router does not send a TCP RST when a packet is
denied] then a blind/guess telnet attack could possibly be mounted
against the router. Although I use telnet in this example, this
obviously also applies to other protocols understood by the router).
Chris Tyler Chris @
DeJong .
Com CTyler @
Oxford .
Net
Systems Development Manager, Wm. De Jong Enterprises Inc.
+1-519-424-9007 / fax +1-519-424-2399
Follow-Ups:
|
|
