So ... doesn't that give them enough supporting evidence all by itself?
If not, maybe it is a lost cause?
As an aside - a pix, if it was permitting the offending port through as
well, may not have stopped the worm either. Think "Defense in Depth". A
firewall, while a necessity for -everyone- (IMHO) is not a cure-all; it is a
piece of a very large, very complex puzzle (even for a small network!).
..
Have someone in a Decision-making position there read "Hacking __(pick an os
- Windows2k, Linux, etc.)____", or attend a SANS course (or just visit their
reading room - TONS of articles). Read Eric Cole's or Ed Skoudis's books.
.. or, teach him/her to use google ...
Thanks!
TJ
-----Original Message-----
From: Wilmes, Rusty [mailto:[EMAIL PROTECTED]
Sent: Thursday, April 03, 2003 2:05 PM
To: [EMAIL PROTECTED]
Subject: RE: hacking challenge [7:66720]
there's an access list on the ethernet interface thats directly connected to
a dsl modem.
they're allowing telnet and smpt to basically, any any plus various other
protocols from/to specific addresses. There're only two outside addresses
that are natted but its really hideous and the access list is the only thing
resembling a layer of security between the internet and their server farm.
I was just hoping to hear some really good verbage about how vulnerable they
are. I've told them for 3 months to get a pix but it just aint sinking in.
Now they've got a worm loose on their mail server thats bringing down their
main host system and their internet line (but thats another story).
> -----Original Message-----
> From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]
> Sent: Thursday, April 03, 2003 8:46 AM
> To: [EMAIL PROTECTED]
> Subject: RE: hacking challenge [7:66720]
>
>
> Wilmes, Rusty wrote:
> >
> > this is a general question for the security specialists.
> >
> > Im trying to convince a client that they need a firewall....
> >
> > so hypothetically,
> >
> > if you had telnet via the internet open to a router (with an
> > access list
> > that allowed smtp and telnet) (assuming you didn't know the
> > telnet password
> > or the enable password)that had a bunch of nt servers on
> > another interface,
>
> Do you actually mean that you are allowing Telnet and SMTP to
> go through the
> router? You said "to" above which is confusing. Allowing Telnet to the
> router unrestricted would be a horrible security hole, even
> for people who
> don't know the password because passwords are often guessable.
>
> But I don't think that's what you meant...
>
> Allowing Telnet and SMTP through the router is more common,
> especially SMTP.
> You have to allow SMTP if you have an e-mail server that gets
> mail from the
> outside world. Avoid Telnet, though, if you can. It sends all
> text as clear
> text, including passwords.
>
> The question is really how vulnerable is the operating system
> that the SMTP
> server is running on? It's probably horribly vulnerable if your client
> hasn't kept up with the latest patches, and it sounds like
> your client is
> the type that hasn't? In fact, the server is probably busy
> attacking the
> rest of us right now! ;-0
>
> So, as far as convicing your customer....
>
> The best way may be to put a free firewall, like Zone Alarm,
> on the decision
> maker's computer and show her/him all the attacks happening
> all the time. Or
> if she already has a firewall, walk her through the log.
>
> Good luck. I have a good book to recommend on this topic:
>
> Greenberg, Eric. "Mission-Critical Security Planner." New
> York, New York,
> Wiley Publishing, Inc., 2003.
>
> Here's an Amazon link:
>
> http://www.amazon.com/exec/obidos/ASIN/0471211656/opendoornetw
> inc/104-9901005-4572707
>
> Priscilla
>
> > how long would it take a determined hacker a) cause some kind
> > of network
> > downtime and b) to map a network drive to a share on a file
> > server over the
> > internet.
> >
> > Thanks,
> > Rusty
> >
> > > -----Original Message-----
> > > From: Larry Letterman [mailto:[EMAIL PROTECTED]
> > > Sent: Wednesday, April 02, 2003 1:44 PM
> > > To: [EMAIL PROTECTED]
> > > Subject: RE: VLAN loop problem [7:66656]
> > >
> > >
> > > Yes,
> > > it prevents loops in spanning tree on layer 2 switches from
> > > causing a loop
> > > by disabling the port on a cisco switch...
> > >
> > >
> > > Larry Letterman
> > > Network Engineer
> > > Cisco Systems
> > >
> > >
> > >
> > >
> > >
> > > > -----Original Message-----
> > > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED] Behalf Of
> > > > Thomas N.
> > > > Sent: Wednesday, April 02, 2003 12:18 PM
> > > > To: [EMAIL PROTECTED]
> > > > Subject: Re: VLAN loop problem [7:66656]
> > > >
> > > >
> > > > What does "portfast bpdu-guard" do? Does it prevent
> > interfaces with
> > > > portfast enabled from causing the loop in my scenario?
> > > >
> > > >
> > > > ""Larry Letterman"" wrote in message
> > > > news:[EMAIL PROTECTED]
> > > >
> > > > > port mac address security might work, altho its a lot of
> > admin
> > > > > overhead..are you running portfast bpdu-guard on the
> > access ports?
> > > > >
> > > > >
> > > > > Larry Letterman
> > > > > Network Engineer
> > > > > Cisco Systems
> > > > >
> > > > >
> > > > > ----- Original Message -----
> > > > > From: Thomas N.
> > > > > To: [EMAIL PROTECTED]
> > > > > Sent: Tuesday, April 01, 2003 8:14 PM
> > > > > Subject: VLAN loop problem [7:66656]
> > > > >
> > > > >
> > > > > Hi All,
> > > > >
> > > > > I got a problem in the production campus LAN here
> > between
> > > > VLANs. Please
> > > > > help me out! Below is the scenario:
> > > > >
> > > > > We have VLAN 10 (10.10.x.x) and VLAN 20 (10.20.x.x)
> > subnets.
> > > > Routing is
> > > > > enable/allowed between the two subnets using MSFC of
> > > the 6500. Each
> > > > subnet
> > > > > has a DHCP server to assign IP address to devices on
> > its subnet.
> > > > > Spanning-tree is enable; however, portfast is turned on
> > on all
> > > > > non-trunking/uplink ports. Recently, devices on VLAN
> > 10 got
> > > > assigned an
> > > > IP
> > > > > address of 10.20.x.x , which is from the DHCP on the
> > > other scope and
> > > > also
> > > > > from 10.10.x.x scope, and vice versa. It seems that we
> > a
> > > > loop somewhere
> > > > > between the 2 subnets but we don't know where. I
> > > noticed lots of end
> > > > users
> > > > > have a little unmanged hub/switch hang off the network
> > > jacks in their
> > > > > cubicals and potentially cause loop.
> > > > >
> > > > > Is there any way that we can block the loop on the
> > > Cisco switches
> > > > without
> > > > > visiting cubicals taking those little umanaged
> > > hubs/switches? Thanks!
> > > > >
> > > > > Thomas
******************************************************************************
The information in this email is confidential and may be legally
privileged. Access to this email by anyone other than the
intended addressee is unauthorized. If you are not the intended
recipient of this message, any review, disclosure, copying,
distribution, retention, or any action taken or omitted to be taken
in reliance on it is prohibited and may be unlawful. If you are not
the intended recipient, please reply to or forward a copy of this
message to the sender and delete the message, any attachments,
and any copies thereof from your system.
******************************************************************************
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=66778&t=66720
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
