On Sat, 4 Sep 1999, Espinola, Micheal wrote:
> I believe this is stated in the documentation. This will definitely happen
> unless you configure R/RAS to use an IP "pool". R/RAS "pre-allocates" IP
> addresses for all potential connections.
Actually I have seen it allocate _2_ addresses per connection, one for the
remote end and one for the local end. Static IP pools can help contain the
damage but if you are low on IP address space RAS is not your friend.
And to keep more with the topic, I had a small jetdirect wierdness this
week. On Monday I installed JetDirect, and I also did other various bits of
work on a few machines. Later that night at 1am I noticed a couple errors
on one of my firewalls (linux) about not being able to access the floppy.
I also noticed a few machines packet filters filter a SNMP request from the
NT server with JetDirect. One was exactly at the time of the floppy disk
error (no disk in drive).
Looking at my logs I noticed an external scan that was SNMP/POP scanning my
address space 15 minutes before this. I was almost ready to reinstall the
NT machine and try to figure out how an attack got by my firewall and host
based port filtering on the NT box. Fortunately I remembered the
SNMP/JetDirect posts here and checked the config. Guess what? By default
JetDirect was trying to "Auto Discover" daily at 1am. The damn thing would
SNMP scan both the internal and external network, and there was no way to
unbind that specific service from the external network. So my fix was to
turn off autodiscovery.
I really wonder how many people with cable modems or DSL bridges are going
to be getting calls from their ISPs. I mean if they have installed
jetdirect drivers on the IP network they are scanning their IP subnet which
is shared with others. Hmm, guess you will autodiscover your neighbors
printers since so few people have firewalls, guess this is ease of use.
I also noticed with my box (170x) I have to set a password via the web for
SNMP and the admin interface, but I also had to telnet is to set the telnet
password. All these mehods seemed to use a different password and default to
"nothing". IE my box was open to telnet (well, from my NATed LAN anyways)
for most of the week. Any LAN user could have telneted in and changed the
IP address.
Cliff
--
| Cliff Skolnick | "They that can give up essential liberty to |
| Steam Tunnel Operations | obtain a little temporary safety deserve |
| [EMAIL PROTECTED] | neither liberty nor safety." |
| http://www.steam.com/ | -- Benjamin Franklin, 1759 |
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
