RE: Broadcast ports [7:51805]
Than you all for your replies. But what really has me a little upset is that our nt team they care nothing about routing and very little about security they just need these high dollar applications to work because if not it does not look well to management. Anyway off my soapbox, how this came about they are using this program to update the clients I suppose or at least I was told and clients on the same subnet they can go out and discover those clients, but any clients not on the same subnet that has to cross the router the discover utility does not work and the server does not see any of those clients. So doing the research from what the vendor told us and reading that doc it looks to me as if the server is not talking to one specific ip in the case of ip helper but is broadcasting to all the clients on that subnet that is why I am stuck. I should have given more information before but trying to explain the security ramifications and routing issues to the nt team had me so frustrated last night. I will be putting a sniffer on today on both sides of the router to see what it looks like. But talking with the vendor the server broadcast for these clients then the clients respond directly with this rpc call. What a mess, if anyone is interested I will keep you up to date on the fix for this product. -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 21, 2002 12:17 AM To: [EMAIL PROTECTED] Subject: Re: Broadcast ports [7:51805] Chuck's Long Road wrote: Priscilla Oppenheimer wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... No wonder you are a bit lost. They aren't using our networking terminology quite correctly. There's no such thing as a broadcast port and hence you can't open it. Perhaps what they mean is that you need to get the router to forward the IP broadcasts to UDP port 42508. Do this with an ip helper-address on the incoming interface. Tell the router to forward the packets to a specific address or a broadcast address, depending on your needs. Make sure you are specific regarding which packets to forward by using the ip forward-protocol and no ip forward-protocol commands. Otherwise the router will forward TFTP, DNS, NTP, NetBIOS, DHCP, and TACACS and not the packets in question. (The app does use UDP I hope? I don't this works for TCP-based traffic.) It doesn't sound like a very well-behaved application. I wonder why it has to use broadcasts? But, application developers often don't know networking. Argh. ;-) CL: off topic, but I finally got my OpNet upgrade installed today. failed several times because.. OpNet demands that the license registration take place over the web, and for some reason their web server and my employer's firewall aboslutely hated eachother. Once I plugged my laptop directly to the 'net, the licences registration went perfectly. Ugh. Maybe it was using a non-standard port or something... CL: I mention this only becasue of your comment about well behaved applications. These days, with unlimited bandwidth, I wonder if it is even Bandwidth isn't the issue, but getting it to work certainly is, as you saw. I read the document for that app in question, Etrust AntiVirus Inoculate. It appears that the Redistribution Server downloads signatures from Computer Associates via FTP. That should be fun to get throught the various firewalls!? The document doesn't even say if it uses passive or active. Also, I wonder about a man-in-the-middle attack. One could wreak havoc by messing with those downloads. They probably are aware of that though. I only have that one document and I'm sure it's not the entire story Have fun with OpNet! Priscilla worth the fight about well behave apps and security conscious vendors. About the only reason I am even bothering with OpNet is because it has a decent simulation component, and it is my intention to learn how to bang out some bandwidth simulations to show the relative merits of 256K internet access versus full T1 internet access. Last time I did one of these sims ( a couple of years ago ) the software indicated there wasn't much merit at all. I'm curis to see if they OpNet has become a bit more sophisticated and if so, what that might mean for their conclusions. Priscilla Elijah Savage III wrote: Ok I am a little lost here but our NT team has rolled out this product. http://files.ruca.ua.ac.be/pub/security/virus/ca/rolloutig.pdf Everything is working but the server can't see the clients because in the document above it states that router ports need to be open to past these broadcast, I do not think this is a good idea but my hand is being pushed to make this happen. But question is how in the heck I am gonna get routers to past this broadcast port stated in that document. Here is the
RE: Broadcast ports [7:51805]
Elijah Savage III wrote: this came about they are using this program to update the clients I suppose or at least I was told and clients on the same subnet they can go out and discover those clients, but any clients not on the same subnet that has to cross the router the discover utility does not work and the server does not see any of those clients. So doing the research from what the vendor told us and reading that doc it looks to me as if the server is not talking to one specific ip in the case of ip helper but is broadcasting to all the clients on that subnet that is why I am stuck. IP helper address doesn't have to use a specific IP address. It can use a broadcast address, for example, a broadcast for an entire subnet, such as 172.16.10.255. I should have given more information before but trying to explain the security ramifications and routing issues to the nt team had me so frustrated last night. I will be putting a sniffer on today on both Using a Sniffer is the way to go. We're sort of speculating otherwise and having to believe what the application developer types are saying. ;-) I have been wondering if the ip helper address might not be the solution, however. It sounds like you have wondered about that oo. I think what is happening is that the server is sending out directed broadcasts to each of your subnets. I suspect this because the documentation says that you have to tell the server about each of your subnets so that the polling will work. (I may not have the exact wording correctly. I'll check the documenation again But it's something like that.) So let's say you told the server that you have the following subnets: 172.16.10.0 /24 172.16.11.0 /24 172.16.12.0 /24 The server will send polls to: 172.16.10.255 172.16.11.255 172.16.12.255 That's what's known as a directed broadcast. A station not on the subnet directs a broadcast from afar toward the subnet. In the olden days this would have worked. For the last few years, however, Cisco IOS has defaulted to no ip directed-broadcasts, so this won't work. The fix may be as simple as configuring the router to allow ip directed-broadcasts with the ip directed-broadcasts command. Now, Cisco uses that default because there are security concerns with directed broadcasts. One issue was that from afar someone could ping an entire subnet. There's probably more serious issues too. But you can associate an access list with ip directed-broadcasts that would only allow them to come from that server. Regarding ports, from our previous messages, be sure that if you already have access lists that they aren't blocking the ports used by this new application. Good luck. We feel for your frustration. Argh! Priscilla Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=51849t=51805 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Broadcast ports [7:51805]
No wonder you are a bit lost. They aren't using our networking terminology quite correctly. There's no such thing as a broadcast port and hence you can't open it. Perhaps what they mean is that you need to get the router to forward the IP broadcasts to UDP port 42508. Do this with an ip helper-address on the incoming interface. Tell the router to forward the packets to a specific address or a broadcast address, depending on your needs. Make sure you are specific regarding which packets to forward by using the ip forward-protocol and no ip forward-protocol commands. Otherwise the router will forward TFTP, DNS, NTP, NetBIOS, DHCP, and TACACS and not the packets in question. (The app does use UDP I hope? I don't this works for TCP-based traffic.) It doesn't sound like a very well-behaved application. I wonder why it has to use broadcasts? But, application developers often don't know networking. Argh. ;-) Priscilla Elijah Savage III wrote: Ok I am a little lost here but our NT team has rolled out this product. http://files.ruca.ua.ac.be/pub/security/virus/ca/rolloutig.pdf Everything is working but the server can't see the clients because in the document above it states that router ports need to be open to past these broadcast, I do not think this is a good idea but my hand is being pushed to make this happen. But question is how in the heck I am gonna get routers to past this broadcast port stated in that document. Here is the snippet. 5) What port number would you like the admin server to poll clients on? In the NameClient section of the ICF file two settings for client polling by the admin server exist. These values are Broadcast ports and Pollbroadcast ports both with the default value of 42508. For security reasons, it is suggested that you change these values. In addition, to perform a free election this port must be opened on the routers internally for broadcasts. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=51808t=51805 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Broadcast ports [7:51805]
Priscilla Oppenheimer wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... No wonder you are a bit lost. They aren't using our networking terminology quite correctly. There's no such thing as a broadcast port and hence you can't open it. Perhaps what they mean is that you need to get the router to forward the IP broadcasts to UDP port 42508. Do this with an ip helper-address on the incoming interface. Tell the router to forward the packets to a specific address or a broadcast address, depending on your needs. Make sure you are specific regarding which packets to forward by using the ip forward-protocol and no ip forward-protocol commands. Otherwise the router will forward TFTP, DNS, NTP, NetBIOS, DHCP, and TACACS and not the packets in question. (The app does use UDP I hope? I don't this works for TCP-based traffic.) It doesn't sound like a very well-behaved application. I wonder why it has to use broadcasts? But, application developers often don't know networking. Argh. ;-) CL: off topic, but I finally got my OpNet upgrade installed today. failed several times because.. OpNet demands that the license registration take place over the web, and for some reason their web server and my employer's firewall aboslutely hated eachother. Once I plugged my laptop directly to the 'net, the licences registration went perfectly. CL: I mention this only becasue of your comment about well behaved applications. These days, with unlimited bandwidth, I wonder if it is even worth the fight about well behave apps and security conscious vendors. About the only reason I am even bothering with OpNet is because it has a decent simulation component, and it is my intention to learn how to bang out some bandwidth simulations to show the relative merits of 256K internet access versus full T1 internet access. Last time I did one of these sims ( a couple of years ago ) the software indicated there wasn't much merit at all. I'm curis to see if they OpNet has become a bit more sophisticated and if so, what that might mean for their conclusions. Priscilla Elijah Savage III wrote: Ok I am a little lost here but our NT team has rolled out this product. http://files.ruca.ua.ac.be/pub/security/virus/ca/rolloutig.pdf Everything is working but the server can't see the clients because in the document above it states that router ports need to be open to past these broadcast, I do not think this is a good idea but my hand is being pushed to make this happen. But question is how in the heck I am gonna get routers to past this broadcast port stated in that document. Here is the snippet. 5) What port number would you like the admin server to poll clients on? In the NameClient section of the ICF file two settings for client polling by the admin server exist. These values are Broadcast ports and Pollbroadcast ports both with the default value of 42508. For security reasons, it is suggested that you change these values. In addition, to perform a free election this port must be opened on the routers internally for broadcasts. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=51811t=51805 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Broadcast ports [7:51805]
Chuck's Long Road wrote: Priscilla Oppenheimer wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... No wonder you are a bit lost. They aren't using our networking terminology quite correctly. There's no such thing as a broadcast port and hence you can't open it. Perhaps what they mean is that you need to get the router to forward the IP broadcasts to UDP port 42508. Do this with an ip helper-address on the incoming interface. Tell the router to forward the packets to a specific address or a broadcast address, depending on your needs. Make sure you are specific regarding which packets to forward by using the ip forward-protocol and no ip forward-protocol commands. Otherwise the router will forward TFTP, DNS, NTP, NetBIOS, DHCP, and TACACS and not the packets in question. (The app does use UDP I hope? I don't this works for TCP-based traffic.) It doesn't sound like a very well-behaved application. I wonder why it has to use broadcasts? But, application developers often don't know networking. Argh. ;-) CL: off topic, but I finally got my OpNet upgrade installed today. failed several times because.. OpNet demands that the license registration take place over the web, and for some reason their web server and my employer's firewall aboslutely hated eachother. Once I plugged my laptop directly to the 'net, the licences registration went perfectly. Ugh. Maybe it was using a non-standard port or something... CL: I mention this only becasue of your comment about well behaved applications. These days, with unlimited bandwidth, I wonder if it is even Bandwidth isn't the issue, but getting it to work certainly is, as you saw. I read the document for that app in question, Etrust AntiVirus Inoculate. It appears that the Redistribution Server downloads signatures from Computer Associates via FTP. That should be fun to get throught the various firewalls!? The document doesn't even say if it uses passive or active. Also, I wonder about a man-in-the-middle attack. One could wreak havoc by messing with those downloads. They probably are aware of that though. I only have that one document and I'm sure it's not the entire story Have fun with OpNet! Priscilla worth the fight about well behave apps and security conscious vendors. About the only reason I am even bothering with OpNet is because it has a decent simulation component, and it is my intention to learn how to bang out some bandwidth simulations to show the relative merits of 256K internet access versus full T1 internet access. Last time I did one of these sims ( a couple of years ago ) the software indicated there wasn't much merit at all. I'm curis to see if they OpNet has become a bit more sophisticated and if so, what that might mean for their conclusions. Priscilla Elijah Savage III wrote: Ok I am a little lost here but our NT team has rolled out this product. http://files.ruca.ua.ac.be/pub/security/virus/ca/rolloutig.pdf Everything is working but the server can't see the clients because in the document above it states that router ports need to be open to past these broadcast, I do not think this is a good idea but my hand is being pushed to make this happen. But question is how in the heck I am gonna get routers to past this broadcast port stated in that document. Here is the snippet. 5) What port number would you like the admin server to poll clients on? In the NameClient section of the ICF file two settings for client polling by the admin server exist. These values are Broadcast ports and Pollbroadcast ports both with the default value of 42508. For security reasons, it is suggested that you change these values. In addition, to perform a free election this port must be opened on the routers internally for broadcasts. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=51812t=51805 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]