TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
Mr. Russo,
You should have your RealSecure engines set up with dual NICs. The
"sniffer" NIC will only have a MAC address.....No IP stack. This NIC is on
the LAN that you want to "sniff". The second NIC will be behind some type
of firewall (even a properly-configured filtering router), and not reachable
by anyone (in theory). The RS IDS will then not be vulnerable to DoS from
external networks.
Hope this helps.
Mr. Schmidt
TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
problems!
----------------------------------------------------------------------------
-----Original Message-----
From: Michael D. Russo
Sent: Tuesday, May 23, 2000 1:38 PM
To: 'Delores A. Quade'
Cc: '[EMAIL PROTECTED]'
Subject: RE: security vulnerability in MS
FYI:
According to the following Microsoft Security Bulletin MS00-029, I am
assuming that this is a flaw in the MS "IP Stack" and am planning on
applying the fix to all of my RS engines, NT Machines running RS agents and
NT machines running RS Consoles because this appears to be a "neat" little
way to DOS any of our RS Engines, Agent Machines and Consoles independent of
any ISS code... Of course, my most recent conversations with ISS Customer
Support in Atlanta (yes we are an Enterprise Customer with a paid
support/maintenance contract in effect)... All ISS Internet Scanner, DB
Scanner, Systems Scanner and Real Secure installations are officially
supported by ISS at MS NT4.0 SP5... and of course this MS00-029 fix is a
Post SP6a hotfix which begs the question... Will ISS officially support Real
Secure Engine, Agents and Consoles on NT4.0 SP6a with the MS00-029
Q259728i.EXE - 263 Kb hotfix applied??? An rsvp from ISS Technical Support
is appreciated.
Thank you,
Sincerely,
************************************************************************
Michael D. Russo * StorageNetworks, Inc.
Information Security Project Mgr * 100 Fifth Avenue
Engineering Department * Third Floor
Information Security Group * Waltham, Massachusetts USA 02451
(781) 434-6231 voice * (781) 434-6700 Reception
(781) 434-6799 fax * (800) 463-7105 Toll Free
[EMAIL PROTECTED] * www.storagenetworks.com
************************************************************************
Microsoft Security Bulletin (MS00-029)
- --------------------------------------
Patch Available for "IP Fragment Reassembly" Vulnerability
Originally Posted: May 19, 2000
Summary
=======
Microsoft has released a patch that eliminates a security
vulnerability in Microsoft(r) Windows(r) 95, Windows 98, Windows
NT(r) 4.0 and Windows 2000. The vulnerability could be used to cause
an affected machine to temporarily stop performing useful work.
Frequently asked questions regarding this vulnerability and
the patch can be found at
http://www.microsoft.com/technet/security/bulletin/fq00-029.asp
Issue
=====
The affected systems contain a flaw in the code that performs IP
fragment reassembly. If a continuous stream of fragmented IP
datagrams with a particular malformation were sent to an affected
machine, it could be made to devote most or all of its CPU
availability to processing them. The data rate needed to completely
deny service varies depending on the machine and network conditions,
but in most cases even relatively moderate rates would suffice.
The vulnerability would not allow a malicious user to compromise data
on the machine or usurp administrative control over it. Although it
has been reported that the attack in some cases will cause an affected
machine to crash, affected machines in all Microsoft testing returned
to normal service shortly after the fragments stopped arriving.
Machines protected by a proxy server or a firewall that drops
fragmented packets would not be affected by this vulnerability. The
machines most likely to be affected by this vulnerability would be
machines located on the edge of a network such as web servers or proxy
servers.
Affected Software Versions
==========================
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows NT 4.0 Workstation
- Microsoft Windows NT 4.0 Server
- Microsoft Windows NT 4.0 Server, Enterprise Edition
- Microsoft Windows NT 4.0 Server, Terminal Server Edition
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
Patch Availability
==================
- Windows 95:
http://download.microsoft.com/download/win95/update/8070/
w95/EN-US/259728USA5.EXE
- Windows 98:
http://download.microsoft.com/download/win98/update/8070/
w98/EN-US/259728USA8.EXE
- Windows NT 4.0 Workstation, Server and Server, Enterprise
Edition:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20829
- Windows NT 4.0 Server, Terminal Server Edition:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20830
- Windows 2000 Professional, Server and Advanced Server:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20827
-----Original Message-----
From: Delores A. Quade [mailto:[EMAIL PROTECTED]]
Sent: Monday, May 22, 2000 12:44 PM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: security vulnerability in MS
TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
problems!
----------------------------------------------------------------------------
>Summary
>=======
>Microsoft has released a patch that eliminates a security
>vulnerability in Microsoft(r) Windows(r) 95, Windows 98, Windows
>NT(r) 4.0 and Windows 2000. The vulnerability could be used to cause
>an affected machine to temporarily stop performing useful work.
Does anyone know if NT boxes running realsecure can be crashed with
this bug???
dq.
________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
