× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. December 2002

RE: Remote Access (Again)

Ok - we've agreed to disagree.

I'm speaking from a corporate (audited business) perspective.

You're speaking from personal experience and architecture (never had auditor
tell you to do this stuff for "best practices" point-of-view).

As others have said, each business needs to analyze their needs - there is
no "one-size-fits-all" standard.

But having port 23 open to the internet without any protection is still
asking for it.

jch

-----Original Message-----
From: Scott Klement [mailto:klemscot@klements.com]
Sent: Wednesday, December 04, 2002 2:38 PM
To: 'midrange-l@midrange.com'
Subject: RE: Remote Access (Again)



On Wed, 4 Dec 2002, Justin Haase wrote:
>
> If you disagree, that's fine.  I am going from direct experience, as
> well as input from numerous audits by internationally-recognized
> auditing firms.
>

I'm going from an in-depth knowledge of the TCP/IP protocol, as well as
input from numerous engineers who designed the protocols, and the input
of hackers who exploit them.

As well as direct experience exploiting them myself.

I've never dealt with an auditor, because I'm comfortable with my own
knowledge of internet security.


> > It doesn't matter if your iSeries is directly connected to the internet,
> > or if it goes through a few routers first... as long as the packets get
> > there, they can be sniffed.
>
> Perhaps I wasn't clear.  Internal network with no direct internet access
was
> meaning either NAT or PAT, or perhaps even virtual IPs.  Not just a router
> and firewall inbetween.  I apologize for the vagueness.  It could also
mean
> NO internet access.  Take it as you will.
>

NAT only partially protects you from a sniffer.   You can still get the
passwords, etc, but you can't get the IP of the machine.   Instead you get
the public IP used by NAT.

> > Turning off ICMP is a really bad idea.   Without it, the TCP/IP protocol
> cannot work as it was designed to.
>
> I and every auditor on the planet disagree with you on this statement.
(and
> it works just fine w/o it)

If you only use your internet connection for simple things, then the only
thing you'll notice immediately will be that you have to wait for
connections to time out, instead of immediately failing with no useful
error messages.

If you do more complex things, you'll find that ICMP is important.

At any rate, ICMP limiting, and blocking ICMP echo and echo reply packets
will solve the problems you describe without breaking any functionality.
I'm sorry if you don't believe me, but it's true.


_______________________________________________
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@midrange.com
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/cgi-bin/listinfo/midrange-l
or email: MIDRANGE-L-request@midrange.com
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.