Great Circle Associates Firewalls
(March 1996) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: IP/IPX gateways
From: Ken Hardy <ken @ bridge . com>
Date: Wed, 13 Mar 1996 10:18:38 -0600
To: jtankf @ vsecorp . com, etware @ access . digex . net
Cc: firewalls @ GreatCircle . COM 
I've been wondering about this lately.  Does the part that runs on the
pc provide a WinSockets DLL for the applications, said DLL providing
the standard API to applications, but talking IPX to the gateway?  If
not, disregard the rest of this message.

If so, you might have to consider people running FTP servers, HTTP
servers, and any other WinSockets-capable server or application on
their desktop; the fact that the datastream gets translated from one
protocol to another doesn't mean squat if it supports this kind of
connectivity directly to the desktop.

If these products present a single IP address to the world, it's
probably analogous to a single virtual computer in so far as IP is
concerned, and you'd potentially be able to exercise a lot of control
at the gateway itself.  Only one process could bind to and listen on
port 80, e.g., and you likely could explicitly disallow that.

But unless the package specifically prevents pc processes from
listening on any port, users could still set up servers on any
non-standard port.  If it disallows listens, how would a standard FTP
client work unless forced to use PASV mode?  Conjecture: the
gateway could behave like a stateful packet filter and allow the listen
on the port is sees in the FTP PORT command.  (Obviously, a proprietary
FTP client specific to the gateway package could be made to work using
proprietary features of the gateway implementation.)

Looking forward to clarification on these points from anyone with
experience with these sorts of gateways.

- KH


Jeffry Tank wrote:
> 
> Can anyone tell me if it true that by putting an IP/IPX gateway between your
> internal IPX lan and your internet server, you can prevent _all_ attacks to
> your system from the outside (the internet)? Seem too simple to me, but some
> folks at my company insist that this is true.  What about IPX packets
> wrapped in an IP layer? (assuming this can be done) Then when the IP layer
> is stripped off at the gateway couldn't the IPX parkets contain info to
> inflict damage to the internal network, at say the Novell server?
Indexed By Date Previous: Re: IP/IPX gateways
From: Adam Prato <adamp @ mickey . ovid . com>
Next: RE: BoS: Netscape2.0 sends mail to the world without authority
From: Tim Linnanvirta <tim @ clinet . fi>
Indexed By Thread Previous: Re: IP/IPX gateways
From: Paul Ferguson <pferguso @ cisco . com>
Next: Re: IP/IPX gateways
From: Tim Zhang <tie @ okstate . edu>
Google
 
Search Internet Search www.greatcircle.com