RE: OS/400 IP spoofing vulnerability -- MIDRANGE-L

Chris,

Your firewall changes the TCP sequence numbers of your packets?
Seriously?   It's doing a lot more than just being a firewall, then...
it's more akin to NAT.

There are many times when you don't want your firewall messing with the
contents of TCP/IP datagrams, and many instances where it is just not
practical or logical to do.

The operating system SHOULD be changed to not use predictable sequence
numbers.  OS/400 is intended to be a secure operating system, you should
not need a 3rd party hack to make it safe.

It really bothers me that open-source operating systems where the
programmers don't even get paid for it can make the time to make these
things secure, and have been doing so for years, while a huge corporation
like IBM trails behind the pack.

Really.  IBM wants to take TCP/IP and security seriously, then they HAVE
to fix things like this, and they HAVE to be proactive about it.

On Thu, 12 Sep 2002, Chris Bipes wrote:
>
> If you put any server directly onto the internet you are asking for trouble.
> Now if you have a firewall, it SHOULD be configured to randomize packet
> headers thus preventing the attach they are talking about.  Trying to secure
> individual server is way too much work.  It is easiest to secure you entire
> network with a firewall.  Now if they were testing IBM AS400 Firewall
> product and you are running that, then I would reconsider a new firewall
> product.  What they were testing is somewhat unclear.
>

This mailing list archive is Copyright 1997-2026 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.