Many thanks to all who replied. I've got some good verbage now. In particular the multi-layer defense.
> -----Original Message----- > From: Evans, TJ (BearingPoint) [mailto:[EMAIL PROTECTED] > Sent: Thursday, April 03, 2003 12:36 PM > To: [EMAIL PROTECTED] > Subject: RE: hacking challenge [7:66720] > > > So ... doesn't that give them enough supporting evidence all > by itself? > If not, maybe it is a lost cause? > > As an aside - a pix, if it was permitting the offending port > through as > well, may not have stopped the worm either. Think "Defense > in Depth". A > firewall, while a necessity for -everyone- (IMHO) is not a > cure-all; it is a > piece of a very large, very complex puzzle (even for a small > network!). > > .. > Have someone in a Decision-making position there read > "Hacking __(pick an os > - Windows2k, Linux, etc.)____", or attend a SANS course (or > just visit their > reading room - TONS of articles). Read Eric Cole's or Ed > Skoudis's books. > .. or, teach him/her to use google ... > > > Thanks! > TJ > -----Original Message----- > From: Wilmes, Rusty [mailto:[EMAIL PROTECTED] > Sent: Thursday, April 03, 2003 2:05 PM > To: [EMAIL PROTECTED] > Subject: RE: hacking challenge [7:66720] > > there's an access list on the ethernet interface thats > directly connected to > a dsl modem. > > they're allowing telnet and smpt to basically, any any plus > various other > protocols from/to specific addresses. There're only two > outside addresses > that are natted but its really hideous and the access list is > the only thing > resembling a layer of security between the internet and their > server farm. > > I was just hoping to hear some really good verbage about how > vulnerable they > are. I've told them for 3 months to get a pix but it just > aint sinking in. > Now they've got a worm loose on their mail server thats > bringing down their > main host system and their internet line (but thats another story). > > > > > -----Original Message----- > > From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED] > > Sent: Thursday, April 03, 2003 8:46 AM > > To: [EMAIL PROTECTED] > > Subject: RE: hacking challenge [7:66720] > > > > > > Wilmes, Rusty wrote: > > > > > > this is a general question for the security specialists. > > > > > > Im trying to convince a client that they need a firewall.... > > > > > > so hypothetically, > > > > > > if you had telnet via the internet open to a router (with an > > > access list > > > that allowed smtp and telnet) (assuming you didn't know the > > > telnet password > > > or the enable password)that had a bunch of nt servers on > > > another interface, > > > > Do you actually mean that you are allowing Telnet and SMTP to > > go through the > > router? You said "to" above which is confusing. Allowing > Telnet to the > > router unrestricted would be a horrible security hole, even > > for people who > > don't know the password because passwords are often guessable. > > > > But I don't think that's what you meant... > > > > Allowing Telnet and SMTP through the router is more common, > > especially SMTP. > > You have to allow SMTP if you have an e-mail server that gets > > mail from the > > outside world. Avoid Telnet, though, if you can. It sends all > > text as clear > > text, including passwords. > > > > The question is really how vulnerable is the operating system > > that the SMTP > > server is running on? It's probably horribly vulnerable if > your client > > hasn't kept up with the latest patches, and it sounds like > > your client is > > the type that hasn't? In fact, the server is probably busy > > attacking the > > rest of us right now! ;-0 > > > > So, as far as convicing your customer.... > > > > The best way may be to put a free firewall, like Zone Alarm, > > on the decision > > maker's computer and show her/him all the attacks happening > > all the time. Or > > if she already has a firewall, walk her through the log. > > > > Good luck. I have a good book to recommend on this topic: > > > > Greenberg, Eric. "Mission-Critical Security Planner." New > > York, New York, > > Wiley Publishing, Inc., 2003. > > > > Here's an Amazon link: > > > > http://www.amazon.com/exec/obidos/ASIN/0471211656/opendoornetw > > inc/104-9901005-4572707 > > > > Priscilla > > > > > how long would it take a determined hacker a) cause some kind > > > of network > > > downtime and b) to map a network drive to a share on a file > > > server over the > > > internet. > > > > > > Thanks, > > > Rusty > > > > > > > -----Original Message----- > > > > From: Larry Letterman [mailto:[EMAIL PROTECTED] > > > > Sent: Wednesday, April 02, 2003 1:44 PM > > > > To: [EMAIL PROTECTED] > > > > Subject: RE: VLAN loop problem [7:66656] > > > > > > > > > > > > Yes, > > > > it prevents loops in spanning tree on layer 2 switches from > > > > causing a loop > > > > by disabling the port on a cisco switch... > > > > > > > > > > > > Larry Letterman > > > > Network Engineer > > > > Cisco Systems > > > > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > From: [EMAIL PROTECTED] > > > > [mailto:[EMAIL PROTECTED] Behalf Of > > > > > Thomas N. > > > > > Sent: Wednesday, April 02, 2003 12:18 PM > > > > > To: [EMAIL PROTECTED] > > > > > Subject: Re: VLAN loop problem [7:66656] > > > > > > > > > > > > > > > What does "portfast bpdu-guard" do? Does it prevent > > > interfaces with > > > > > portfast enabled from causing the loop in my scenario? > > > > > > > > > > > > > > > ""Larry Letterman"" wrote in message > > > > > news:[EMAIL PROTECTED] > > > > > > > > > > > port mac address security might work, altho its a lot of > > > admin > > > > > > overhead..are you running portfast bpdu-guard on the > > > access ports? > > > > > > > > > > > > > > > > > > Larry Letterman > > > > > > Network Engineer > > > > > > Cisco Systems > > > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > > From: Thomas N. > > > > > > To: [EMAIL PROTECTED] > > > > > > Sent: Tuesday, April 01, 2003 8:14 PM > > > > > > Subject: VLAN loop problem [7:66656] > > > > > > > > > > > > > > > > > > Hi All, > > > > > > > > > > > > I got a problem in the production campus LAN here > > > between > > > > > VLANs. Please > > > > > > help me out! Below is the scenario: > > > > > > > > > > > > We have VLAN 10 (10.10.x.x) and VLAN 20 (10.20.x.x) > > > subnets. > > > > > Routing is > > > > > > enable/allowed between the two subnets using MSFC of > > > > the 6500. Each > > > > > subnet > > > > > > has a DHCP server to assign IP address to devices on > > > its subnet. > > > > > > Spanning-tree is enable; however, portfast is turned on > > > on all > > > > > > non-trunking/uplink ports. Recently, devices on VLAN > > > 10 got > > > > > assigned an > > > > > IP > > > > > > address of 10.20.x.x , which is from the DHCP on the > > > > other scope and > > > > > also > > > > > > from 10.10.x.x scope, and vice versa. It seems that we > > > a > > > > > loop somewhere > > > > > > between the 2 subnets but we don't know where. I > > > > noticed lots of end > > > > > users > > > > > > have a little unmanged hub/switch hang off the network > > > > jacks in their > > > > > > cubicals and potentially cause loop. > > > > > > > > > > > > Is there any way that we can block the loop on the > > > > Cisco switches > > > > > without > > > > > > visiting cubicals taking those little umanaged > > > > hubs/switches? Thanks! > > > > > > > > > > > > Thomas > ************************************************************** > **************** > The information in this email is confidential and may be legally > privileged. Access to this email by anyone other than the > intended addressee is unauthorized. If you are not the intended > recipient of this message, any review, disclosure, copying, > distribution, retention, or any action taken or omitted to be taken > in reliance on it is prohibited and may be unlawful. If you are not > the intended recipient, please reply to or forward a copy of this > message to the sender and delete the message, any attachments, > and any copies thereof from your system. > ************************************************************** > **************** Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66853&t=66720 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
