[Dshield] Ramifications of opening up MS Networking across IPX/SPX- to IP?

SAWYER Charlotte M Charlotte.M.Sawyer at state.or.us
Wed Oct 6 20:43:51 GMT 2004

Sounds to me like what you REALLY  need is a firewall -- IMHO protocol
differences are only a little bit of help, but racheting down the access to
a controlled list of capabilities may be a more appropriate way to handle
the technical issues.  In addition I generally caution about having a
network be more complex than it needs to be -- no matter what the perceived
reason(s).  Complexity can often come back to get you later........

> I < didn't see anything in your description of the situation that couldn't
be handled with IP and firewall functions.  

In addition, I believe the "management challenge" you appear to have should
be addressed no matter what happens with the network -- it's unfortunate,
but often the "people stuff" is harder to deal with than the "technical

-----Original Message-----
From: Linda Ruiz [mailto:linlu at yahoo.com] 
Sent: Wednesday, October 06, 2004 12:01 PM
To: list at lists.dshield.org
Subject: [Dshield] Ramifications of opening up MS Networking across IPX/SPX-
to IP?


At our site, we run two somewhat independent networks.  I run our network
and the other network is run by another group.  We currently have an IPX/SPX
router between the two networks setup so that we can only see their lone
Novell server.  We cannot see their NT PDC, nor can they supposedly see any
of our servers/workstations in their Windows machine Network Neighborhood.
They do have access to one shared DB server via a Sybase ASA client - via
IPX/SPX.  We access shared files on that lone Novell server, including our
old decrepit email system.

A proposal is on the table to eliminate the Novell server and use their
Windows NT PDC to access any shared files and the email system.  Their side
is on TCP/IP, as is our side.  Their NT PDC will have two NICs installed,
one with TCP/IP that their network will use, and another NIC which only has
IPX/SPX bound to it.  That NIC will be hooked to the IPX/SPX router which
will then hook into our Internal LAN switch.  They intend ot setup a one way
trust to allow their PDC to trust all of our domain users.  

On the people side, one of their admins has a habit of 'watching' all
network traffic and is a general pain in the butt.  He was the original
reason we broke off from their network.  He had a habit of interfering with
our group's work via crying to management about what we were doing (customer
requested items), stopping us from testing new technology, other incidents,
and even took over one of our servers while I was out on maternity leave.

I have several concerns which I am hoping someone can help with
- either prove or disprove.

1.  Can't trojans/worms/viruses still traverse the IP/IPX boundary simply by
infecting their PDC and therefore infect our network as well?

2.  They will be able to see our entire Network from that PDC. 
What is to stop them from adding our Domain to the PDC's browse list and in
effect publishing our Network machine names to their entire user base?  

3.  Is my concern about exposing our machine names to a network (and their
users) which I do not control valid?

4.  If I remove IPX/SPX from all my servers, except the lone DB server they
need to access on our side, will this provide any measure of protection from
virus/worm/trojans and one snoop happy admin?

5.  What kind of misconfiguration on their side or mine could open us up
entirely to their network traffic?

I would like to implement a special IPX/IP translating router myself on our
side which would translate IPX to IP and also restrict incoming access to
our DB server, and responses to our workstation requests.  Is this even
possible?  Any ideas - Linux comes to mind, but I can resort to Windows if
their is no other choice.

If we went ahead with this proposal I would do so only if I received in
writing, a policy of non-inteference from their group.  Examples include any
problems with respect to networking, virus/trojans/worms, logs filling up -
all those would be their problem and not ours. Complaining to management
about these problems would also be prohibited - if their logs fill up that's
their problem.  We would not be told to stop doing anything on our network.
They would be banned from sniffing/logging/or otherwise examining any of our
traffic.  All this is to prevent that one individual from being allowed to
impose his personal will on our group.

I would like to hear your answers to my questions and any issues I may have
not thought about.

Linda Ruiz :)

For my non-geek friends:
Friends don't email friends .exe or .com files.  So don't open those types
of attachments!! For my geek friends: Adopt a newbie....
DShield and the Internet Storm Center are sponsored by the SANS Institute.
To learn more about current SANS training, see http://www.sans.org .

send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see:

More information about the list mailing list