[Dshield] Ramifications of opening up MS Networking across IPX/SPX - to IP?

Linda Ruiz linlu at yahoo.com
Wed Oct 6 19:00:52 GMT 2004


All,

At our site, we run two somewhat independent networks.  I run
our network and the other network is run by another group.  We
currently have an IPX/SPX router between the two networks setup
so that we can only see their lone Novell server.  We cannot see
their NT PDC, nor can they supposedly see any of our
servers/workstations in their Windows machine Network
Neighborhood.  They do have access to one shared DB server via a
Sybase ASA client - via IPX/SPX.  We access shared files on that
lone Novell server, including our old decrepit email system.

A proposal is on the table to eliminate the Novell server and
use their Windows NT PDC to access any shared files and the
email system.  Their side is on TCP/IP, as is our side.  Their
NT PDC will have two NICs installed, one with TCP/IP that their
network will use, and another NIC which only has IPX/SPX bound
to it.  That NIC will be hooked to the IPX/SPX router which will
then hook into our Internal LAN switch.  They intend ot setup a
one way trust to allow their PDC to trust all of our domain
users.  

On the people side, one of their admins has a habit of
'watching' all network traffic and is a general pain in the
butt.  He was the original reason we broke off from their
network.  He had a habit of interfering with our group's work
via crying to management about what we were doing (customer
requested items), stopping us from testing new technology, other
incidents, and even took over one of our servers while I was out
on maternity leave.

I have several concerns which I am hoping someone can help with
- either prove or disprove.

1.  Can't trojans/worms/viruses still traverse the IP/IPX
boundary simply by infecting their PDC and therefore infect our
network as well?

2.  They will be able to see our entire Network from that PDC. 
What is to stop them from adding our Domain to the PDC's browse
list and in effect publishing our Network machine names to their
entire user base?  

3.  Is my concern about exposing our machine names to a network
(and their users) which I do not control valid?

4.  If I remove IPX/SPX from all my servers, except the lone DB
server they need to access on our side, will this provide any
measure of protection from virus/worm/trojans and one snoop
happy admin?

5.  What kind of misconfiguration on their side or mine could
open us up entirely to their network traffic?

I would like to implement a special IPX/IP translating router
myself on our side which would translate IPX to IP and also
restrict incoming access to our DB server, and responses to our
workstation requests.  Is this even possible?  Any ideas - Linux
comes to mind, but I can resort to Windows if their is no other
choice.

If we went ahead with this proposal I would do so only if I
received in writing, a policy of non-inteference from their
group.  Examples include any problems with respect to
networking, virus/trojans/worms, logs filling up - all those
would be their problem and not ours. Complaining to management
about these problems would also be prohibited - if their logs
fill up that's their problem.  We would not be told to stop
doing anything on our network.  They would be banned from
sniffing/logging/or otherwise examining any of our traffic.  All
this is to prevent that one individual from being allowed to
impose his personal will on our group.

I would like to hear your answers to my questions and any issues
I may have not thought about.

Thanks,
Linda Ruiz :)

=====
For my non-geek friends:
Friends don't email friends .exe or .com files.  So don't open those types of attachments!!
For my geek friends:
Adopt a newbie....



More information about the list mailing list