On Mon, 23 Apr 2001, Network Operations wrote:
> This actually has a lot of relevance since dword conversion is a
> convenient way to subvert many of our security systems.
I'm not sure how you drew this conclusion? For anything that's not doing
a direct string match, unless it's incredibly poorly written software, the
addresses in network byte order should be what's compared for access
control in a security system (since that's what's necessary for the
address to be used- though I suppose that normalization prior to
comparison is the actual network and I think I've used host byte order
in the past myself.)
Can you quantify "many" for us, since outside of URL filters (which if
someone's calling them a security system, is specious at best) I can't
think of anything that cares what the address looks like at the command
line that would allow for "subversion" (I can imagine perhaps packet
filtering FTP firewalls not allowing the connections back- that's not a
subversion though.) Where packet filters do a string match on
client or server supplied data, you'll get a mismatch, but every instance
I can think of means denial of access not "subversion."
I'm really stretching to think of things that would be adversely affected,
so any quantification you could bring would be highly appreciated.
Thanks,
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
