-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> -----Original Message-----
> From: Ben Nagy [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, September 06, 2000 9:10 PM
>
> [...]
> Exactly how bad is telnet administration of a box in this
> DMZ? We assume
> that another box in the DMZ is compromised (needs to happen
> for sniffing to
> work).
It gives a clear text view of the environment to any intruder. Why
make it easy for him to find his way around?
> If I owned this putative DMZ box, I'd go straight for the
> session hijacking.
> Given that I've now got access to the wire I can (fairly)
> trivially hijack
> any TCP session into or out of the trusted network. That's
> likely to be much
> more interesting to me than compromising another DMZ box by running
> a sniffer. Besides, with full access to the wire I've got a raft
> of possible hacks available to me - I don't neccessarily need a
> password.
Yes, but these 'hacks' are more of the active kind, say sendmail
crash root compromise. Sniffing passwords allows an intruder to enter
the network through normal channels which may not get picked up that
quickly. Do you check when you last logged into a machine?
> So, if people have complete control over your DMZ boxes it's
> very bad. The
> fact that in the event of such a compromise cleartext
> administration turns
> out to be easy picking is the least of one's worries.
Keep in mind that you only need to compromise one box. You can sniff
a password, let the admins fix your current intrusion, and come back
later through normal channels using that password, with good chances
of getting through undetected. Also, this password might open other
doors (i.e. modem pools).
> What I'm really saying here is that I think the biggest risk
> with cleartext
> administration is still en-route compromise. I think of that threat
> as requiring the compromise of a carrier or an ISP. We can't
> always assume that small, random ISPs will not become transit
> networks, but it's fairly likely that you can work out which
> telcos / carriers your data will traverse. It's then a matter of
> how much you trust their networks. That's the risk I weigh when I
> decide whether cleartext is "good enough".
I hear this statement a lot. "The greatest danger in regards to
sniffing is on the Internet (ISP's)". I'm not sure if I can agree to
that as nowadays most everyone moves to switched networks. Hosts,
like DNS, are off the main traffic segments, so sniffing session
there would not show your communication.
Oh, and I know that I think of it, using switches in your DMZ will
probably help to thwart the sniffing issue... :)
Regards,
Frank
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.1
Comment: PGP or S/MIME (X.509) encrypted email preferred.
iQA/AwUBObfGI0RKym0LjhFcEQJUkACcCZg18K/cNMHMn4xexlGdbUB8icQAn3/p
9b3gTexMIpBq7DjuJFcyWak4
=eHvx
-----END PGP SIGNATURE-----
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
