"Paul D. Robertson" wrote:
>
> On Thu, 23 Dec 1999, Eric wrote:
>
> > That is why I was wondering about certain common computer services. I
> > would imagine for those services that are pretty much available to
> > everyone that there is some kind of consent normally given. However,
> > if those services are abused, such as a ping attack on a computer or
> > on a network, that it would pass the line beyound that consent. And
> > for things that are not a service such as BackOrifice, only scans made
> > by the explicit permission of the owner or other authorized person
> > should be made. Anyone else making such scans is clearly doing so without
> > the benefit of any permission of the owner of the computer.
>
> Worse-yet, such laws don't address "stupid" protocols and protocol
> practices like the computer scanning its "Network Neighborhood", trying
> to do SNMP auto-discovery, PC Anywhere looking for available hosts...
> Nor does it seem to address times when the computer implies consent, or
> the use of a scan to try to link back a scan...
>
> Perhaps what we need is a well-known protocol that defines a network policy,
> usage agreement, etc. that responds to a broadcast packet for a subnet, or is
> forwarded from a specific port on the subnet's gateway (so CIDR doesn't hurt
> anyone's brain). Then we'd be able to point to it and say "If the
> attacker didn't read this, they're at fault" If they did and still did
> something against the policy, then they're liablously at fault.
> Actually, the best place would be in the reverse zone file somewhere.
>
> Thoughts?
For SMTP, the MX records provide addresses of what servers may be used to
send e-mail to that domain. If mail.example.com includes MX records such
as:
example.com. IN MX 1 mail.example.com.
example.com. IN MX 2 mail.another-example.com.
example.com. IN MX 3 mail.yet-another-example.com.
one could easily argue that one has permission to access SMTP on
mail.yet-another-example.com in order to send e-mail to [EMAIL PROTECTED]
But it would be difficult to argue that one had permission to use
a third party server, say mail.innocent-third-party.com to send
e-mail to [EMAIL PROTECTED] since example.com does not list any MX
records for that domain.
There is also the default action that if you send mail to [EMAIL PROTECTED]
and there are no MX records for xyz.example.com that the machine will
attempt to connect directly to xyz.example.com to send e-mail. I think
it would be difficult to argue that someone does not have permission to
contact port 25 on xyz.example.com if they are sending e-ail to a user on
xyz.example.com and there are no MX records provided in the DNS.
In general, I think that access on a gateway or the computer itself
would be preferable over using the dns (other than it already does
for SMTP). In some cases, it should be the network security people's
decision over which services to allow while in other cases, it should
be up to the individual owner of the machine.
Eric Johnson
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
