L PROTECTED]
> Sent: August 10, 2003 23:27
> To: David Gillett
> Cc: 'Douglas Gullett'; 'Adam Overlin';
> [EMAIL PROTECTED]
> Subject: RE: Cisco Workaround
>
>
>
> hi guys,
>
> all the posts i've seen replying to this guy's proble
hallo again,
just to make life easy for you adam, my scenerio is a freebsd box that
acts as a gateway/ firewall, which redirects vpn calls to my w2k server.
i don't have too much cisco experience (last time i used one was about 3
yrs ago) but as long as you do the following vpn connections shoul
u
> > need to have
> > Protocol Port 51 (ESP) and Protocol Port 52 (AH) open, as
> > well as UDP Port
> > 500 (isakmp).
> >
> > Doug
> >
> > -----Original Message-
> > From: Adam Overlin [mailto:[EMAIL PROTECTED]
> > Sent: Thursday, July 31
at unix dot za dot
net'"
da.edu> <[EMAIL PROTECTED]>
cc: <[EMAIL PROTECTED]>
12/08/
EMAIL PROTECTED]>
12/08/2003 02:07 Subject: RE: Cisco
Workaround
Please respond
to gillettdavid
Whether your VPN users need GRE or ESP+AH will depend on what
particular VPN technology they use. (In our case, so
ESP is protocol 50 and AH is 51. Neither opening 52 nor
leaving 50 closed is likely to help.
David Gillett
> -Original Message-
> From: Douglas Gullett [mailto:[EMAIL PROTECTED]
> Sent: August 2, 2003 08:49
> To: Adam Overlin; [EMAIL PROTECTED]
> Subject: RE: C
riginal Message-
From: Douglas Gullett [mailto:[EMAIL PROTECTED]
Sent: Saturday, August 02, 2003 8:49 AM
To: Adam Overlin; [EMAIL PROTECTED]
Subject: RE: Cisco Workaround
Adam,
If the "cheat" sheet you are referring to is the Cisco Security Alert, I am
guessing that you put in their access-
am Overlin [mailto:[EMAIL PROTECTED]
Sent: Thursday, July 31, 2003 12:59 PM
To: [EMAIL PROTECTED]
Subject: RE: Cisco Workaround
I just joined this list so I haven't seen the whole thread on this issue,
thus my company's particular issue may have been discussed already, but I
thought I woul
>I did state in my first mail that it was the pixes that were controlling the
>vpn/encryption, but I may not have been clear. So there it is again. :)
>Anyway, the 2 versions that we tried to upgrade to are:
>c820-k9osy6-mz.12.3-1a (24/8) and
>12.2(15)T4/5
>Currently we are running:
>12.2 (sorry
August 2003 00:04
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: RE: Cisco Workaround (VPN PROBLEM)
I did state in my first mail that it was the pixes that were controlling the
vpn/encryption, but I may not have been clear. So there it is again. :)
Anyway, the 2 versions that we tried to
To: [EMAIL PROTECTED]
Subject: RE: Cisco Workaround
>Background:
>We have a Cisco 827 router and a PIX 506e locally. Router being in
front of
>the PIX. We also have a co-location facility that we are connected via
a
>constant VPN tunnel. There we have a PIX 515e. The two pixes are
did look the same as it was before. Just the IOS
>version changed.
>
>Adam
>
>-Original Message-
>From: John Canty [mailto:[EMAIL PROTECTED]
>Sent: Thursday, July 31, 2003 10:37 AM
>To: Adam Overlin
>Subject: RE: Cisco Workaround
>
>
>send us along a
al Message-
From: John Canty [mailto:[EMAIL PROTECTED]
Sent: Thursday, July 31, 2003 10:37 AM
To: Adam Overlin
Subject: RE: Cisco Workaround
send us along a copy of this cheat sheet, and I am willing to bet there
might a few more answers to give :)
//John
-Original Message-
From: Ada
>Background:
>We have a Cisco 827 router and a PIX 506e locally. Router being in front of
>the PIX. We also have a co-location facility that we are connected via a
>constant VPN tunnel. There we have a PIX 515e. The two pixes are what
>control the VPN/encryption.
>So we upgraded the router to
[mailto:[EMAIL PROTECTED]
Sent: 31 July 2003 17:59
To: [EMAIL PROTECTED]
Subject: RE: Cisco Workaround
I just joined this list so I haven't seen the whole thread on this issue,
thus my company's particular issue may have been discussed already, but I
thought I would see if I could get some h
Sent: Thursday, July 31, 2003 10:37 AM
To: Adam Overlin
Subject: RE: Cisco Workaround
send us along a copy of this cheat sheet, and I am willing to bet there
might a few more answers to give :)
//John
-Original Message-
From: Adam Overlin [mailto:[EMAIL PROTECTED]
Sent: Thursday, July
I just joined this list so I haven't seen the whole thread on this issue,
thus my company's particular issue may have been discussed already, but I
thought I would see if I could get some help anyway.
Background:
We have a Cisco 827 router and a PIX 506e locally. Router being in front of
the PIX.
Oh, you guys are no fun at all.
The key to a conspiracy theory is that the facts have
to at least marginally support the theory and not
prove it. Just enough evidence to make one paranoid
but not make you want to hide in your fall out
shelter.
This is perfect for a conspiracy, Very large company
m.
Tim
(the above is my personal view, not that of the company btw)
-Original Message-
From: Todd Mitchell - lists [mailto:[EMAIL PROTECTED]
Sent: Wednesday, July 30, 2003 9:02 AM
To: 'Jac'; [EMAIL PROTECTED]
Subject: RE: Cisco Workaround
| As to support, I heard an interesting c
This sounds false on its face. Cisco actually makes a great deal of
money from providing support (trust me, I know what my company pays for
a blanket contract and it's enough to put several Cisco-kids through
college every year).
There's a pretty good reason why this flaw wasn't found sooner - th
| As to support, I heard an interesting conspiracy
| theory related to Cisco support and the IOS flaw:
|
| The theory is that Cisco had far to many IOS versions
| that they support in the field and in order to reduce
| support costs they "conveniently" found this flaw with
| the IOS software and u
As to support, I heard an interesting conspiracy
theory related to Cisco support and the IOS flaw:
The theory is that Cisco had far to many IOS versions
that they support in the field and in order to reduce
support costs they "conveniently" found this flaw with
the IOS software and used it to prop
>
>
>
>
>
> -Original Message-
> From: Noonan, Wesley [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, July 29, 2003 12:27 AM
> To: '[EMAIL PROTECTED]'; 'Ghaith Nasrawi'
> Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: RE: Cisco Workar
As far as this particular issue is concerned, Cisco do provide a high quality of
support to its customers. What they don't provide is free training for lazy
network administrators. If you're unable to apply the IOS patch they freely
provide to any administrator who asks for it (as stated in the ad
L PROTECTED]; [EMAIL PROTECTED]
Subject: RE: Cisco Workaround
I've got to agree with David here. There is no reason that Cisco, or any
other large company should be expected to provide workarounds that address
the distinct minority of their install base. They should focus on the
majority
removed.
Olivier
-Message d'origine-
De : Tim Donahue [mailto:[EMAIL PROTECTED]
Envoyé : Friday, July 25, 2003 3:43 PM
À : 'Ghaith Nasrawi'
Cc : [EMAIL PROTECTED]; [EMAIL PROTECTED]
Objet : RE: Cisco Workaround
Hmmm Why don't you open up the protocols from the add
that there are new versions of IOS
> that are not vulnerable to this attack, which means that you can
> upgrade IOS and resolve the issute all together.
>
> Tim Donahue
>
> > -Original Message-
> > From: Ghaith Nasrawi [mailto:[EMAIL PROTECTED]
> > Sent: Frida
:40
To: 'Ghaith Nasrawi'
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: Cisco Workaround
They have. They've been amazingly responsive about providing fixed
code versions for some frighteningly-old equipment. The *Workaround*
is just a quick and dirty fix for those who need s
-
> From: Ghaith Nasrawi [mailto:[EMAIL PROTECTED]
> Sent: July 25, 2003 08:33
> Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: RE: Cisco Workaround
>
>
> Well, my question is; what the hell if I was using any of these
> protocols?? Didn't cisco think of that?
PM
To: Alvaro Gordon-Escobar
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: Cisco Workaround
Alvaro,
No. The protocol blocked by the access-list is protocol 53 not protocol
TCP or protocol UDP port 53.
If you need further info, let me know,
-James
At 09:15 7/23/2003, Alvaro Gord
ble.
./Ghaith
===
Today is the tomorrow you worried about yesterday
-Original Message-
From: Tim Donahue [mailto:[EMAIL PROTECTED]
Sent: Friday, July 25, 2003 10:43 PM
To: 'Ghaith Nasrawi'
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: Cisco Workaround
Hmmm
issute all together.
Tim Donahue
> -Original Message-
> From: Ghaith Nasrawi [mailto:[EMAIL PROTECTED]
> Sent: Friday, July 25, 2003 11:33 AM
> Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: RE: Cisco Workaround
>
>
> Well, my question is; what the hell if I w
ailto:[EMAIL PROTECTED]
Sent: Wednesday, July 23, 2003 6:48 PM
To: Alvaro Gordon-Escobar
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: Cisco Workaround
Alvaro,
No. The protocol blocked by the access-list is protocol 53 not protocol
TCP or protocol UDP port 53.
If you need further info
Ports :
http://www.seifried.org/security/ports/
Regards.
-Original Message-
From: Wolfpaw - Dale Corse [mailto:[EMAIL PROTECTED]
Sent: Thursday, July 24, 2003 1:03 AM
To: DOUGLAS GULLETT; Alvaro Gordon-Escobar
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: Cisco Workaround
Be
with a need for any
additional protocols to cross our borders.
David Gillett
> -Original Message-
> From: Kurt Seifried [mailto:[EMAIL PROTECTED]
> Sent: July 23, 2003 22:11
> To: DOUGLAS GULLETT; Alvaro Gordon-Escobar
> Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject
My phone is plugged in the port 53 of our pabx, will I have to plug my phone in
another port if I implement this access list ?
> DNS is using port 53, I think you should consider
> unblockthis port if you want your DNS to communicate with your ISP
> DNS.
>
> will this access list
The list stated is what Cisco recommends in thier work
around for the transit ACL.
The exploit for this has already come out and they
state that you don't need any combinations, just 76
packets of one of the protocols. I gave it a quick
read through and you can find it at:
http://www.derkeiler.co
On Wednesday 23 July 2003 15:16, DOUGLAS GULLETT wrote:
> I don't think you have to put all the access-list in. I believe
> that the hack requires a certain combination of packets to the four
> ports, so leaving one or two of them open should still prevent the
> hack. That might be a good questio
The hack does not require the usage of all 4 protocols. Using any one of
them will allow disable the router interface.
Using hping to test is the best way to see what I mean.
John
On Wed, 2003-07-23 at 14:16, DOUGLAS GULLETT wrote:
> I don't think you have to put all the access-list in. I beli
Hello Doug,
>I don't think you have to put all the access-list in. I believe that
>the hack requires a certain combination of packets to the four ports,
>so leaving one or two of them open should still prevent the hack.
Firstly, remember that these are IP protocols we are referring to, not
TCP/
helps.
Kind regards
Byrne G
> -Original Message-
> From: DOUGLAS GULLETT [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, July 23, 2003 8:16 PM
> To: Alvaro Gordon-Escobar
> Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: Re: Cisco Workaround
>
>
> I don'
CTED]
> Subject: Re: Cisco Workaround
>
>
> I don't think you have to put all the access-list in. I
> believe that
> the hack requires a certain combination of packets to the
> four ports,
> so leaving one or two of them open should still prevent the
> hack. That
No. The attack requires N+1 attack packets. N=size of queue, which by
default is 75. The packets can be any of the four protocols (i.e. all of one
type, half of one, half of another, etc.). It has also been reported that
some other protocols work for this attack, but this has not been confirmed.
Re
These are IP protocols you are denying no TCP or UDP protocols.
i.e 103 = PIM Protocol Independent Multicast
_
Dave Kleiman
[EMAIL PROTECTED]
www.netmedic.net
"High achievement always takes place in the framework of high expectation."
Jack Kinder
-Original Message
esday, July 23, 2003 3:16 PM
To: Alvaro Gordon-Escobar
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: Cisco Workaround
I don't think you have to put all the access-list in. I believe that
the hack requires a certain combination of packets to the four ports,
so leaving one or two of
om: DOUGLAS GULLETT <[EMAIL PROTECTED]>
> Date: Wed, 23 Jul 2003 15:16:28 -0400
> Subject: Re: Cisco Workaround
> X-Mailer: iPlanet Messenger Express 5.2 HotFix 1.16 (built May 14 2003)
> X-Spam-Status: No, hits=-99.4 required=5.0
> tests=FROM_ENDS_IN_NUMS,KNOWN_MAILI
> I don't think you have to put all the access-list in. I believe
> that the hack requires a certain combination of packets to the
> four ports, so leaving one or two of them open should still prevent
> the hack.
This was an initial assumption made by many that is apparently not
accurate (pe
Hi Alvaro,
DNS is using port 53, I think you should consider unblock
this port if you want your DNS to communicate with your ISP DNS.
Rdgs,
Bryan
*** TOWARDS CUSTOMER CENTERED CULTURE ***
** Dynacraft is a QS9000 and ISO14001 certified company **
|-
No, this ACL doesn't block any TCP nor UDP traffic.
Luis Enrique Londono
Security Services Coordinator
Andean Region
ImpSat
- Original Message -
From: "Alvaro Gordon-Escobar" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Wednesday, July 23, 2003 9:15 AM
Subject:
I don't think you have to put all the access-list in. I believe that
the hack requires a certain combination of packets to the four ports,
so leaving one or two of them open should still prevent the hack. That
might be a good question for Cisco TAC...they should be willing to help
even if you
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
No, because you aren't blocking TCP/UDP 53 (the DNS ports)
but instead the IP PROTOCOL 53.
- -- Charlie
> -Original Message-
> From: Alvaro Gordon-Escobar [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, July 23, 2003 8:15 AM
> To: [EMAIL PROTE
If you're using BIND, you can use the blackhole option.
Todd
--
| -Original Message-
| From: Alvaro Gordon-Escobar [mailto:[EMAIL PROTECTED]
| Sent: Wednesday, July 23, 2003 10:15 AM
| To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
| Subject: Cisco Workaround
|
| will this access list modifi
No.
DNS uses UDP (or on some cases TCP). Protocol numbers for UDP and TCP
are 17 and 6 respectively. You are denying protocols 53,55,77,103 so DNS
will work as before.
Regards \\ Naman
> -Original Message-
> From: Alvaro Gordon-Escobar [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, July 23,
Alvaro,
No. The protocol blocked by the access-list is protocol 53 not protocol
TCP or protocol UDP port 53.
If you need further info, let me know,
-James
At 09:15 7/23/2003, Alvaro Gordon-Escobar wrote:
will this access list modification prevent my internal DNS server from
updates to it s
54 matches
Mail list logo
