[Dshield] Ramifications of opening up MS Networking across IP X/SPX - to IP?

Willy, Andrew AWilly at eSMIL.net
Wed Oct 6 21:50:07 GMT 2004


I believe the complexity of your existing and proposed solution is
unnecessary. You should easily be able to segment and seperate the traffic
of both networks with routers and/or VLANs using only IP.  Later switches
allow LAN users access to servers without allowing them access to one
another, and routers with access-lists provide extensive filtering.

Someone, of course, will be required to administer the routers or switches
that implement the sementation, and it sounds as if that would either be you
or the gentlemen you find disagreeable. Perhaps a vendor implementation?



-----Original Message-----
From: Linda Ruiz [mailto:linlu at yahoo.com]
Sent: Wednesday, October 06, 2004 12:01 PM
To: list at lists.dshield.org
Subject: [Dshield] Ramifications of opening up MS Networking across
IPX/SPX - to IP?


At our site, we run two somewhat independent networks.  I run
our network and the other network is run by another group.  We
currently have an IPX/SPX router between the two networks setup
so that we can only see their lone Novell server.  We cannot see
their NT PDC, nor can they supposedly see any of our
servers/workstations in their Windows machine Network
Neighborhood.  They do have access to one shared DB server via a
Sybase ASA client - via IPX/SPX.  We access shared files on that
lone Novell server, including our old decrepit email system.

A proposal is on the table to eliminate the Novell server and
use their Windows NT PDC to access any shared files and the
email system.  Their side is on TCP/IP, as is our side.  Their
NT PDC will have two NICs installed, one with TCP/IP that their
network will use, and another NIC which only has IPX/SPX bound
to it.  That NIC will be hooked to the IPX/SPX router which will
then hook into our Internal LAN switch.  They intend ot setup a
one way trust to allow their PDC to trust all of our domain

On the people side, one of their admins has a habit of
'watching' all network traffic and is a general pain in the
butt.  He was the original reason we broke off from their
network.  He had a habit of interfering with our group's work
via crying to management about what we were doing (customer
requested items), stopping us from testing new technology, other
incidents, and even took over one of our servers while I was out
on maternity leave.

I have several concerns which I am hoping someone can help with
- either prove or disprove.

1.  Can't trojans/worms/viruses still traverse the IP/IPX
boundary simply by infecting their PDC and therefore infect our
network as well?

2.  They will be able to see our entire Network from that PDC. 
What is to stop them from adding our Domain to the PDC's browse
list and in effect publishing our Network machine names to their
entire user base?  

3.  Is my concern about exposing our machine names to a network
(and their users) which I do not control valid?

4.  If I remove IPX/SPX from all my servers, except the lone DB
server they need to access on our side, will this provide any
measure of protection from virus/worm/trojans and one snoop
happy admin?

5.  What kind of misconfiguration on their side or mine could
open us up entirely to their network traffic?

I would like to implement a special IPX/IP translating router
myself on our side which would translate IPX to IP and also
restrict incoming access to our DB server, and responses to our
workstation requests.  Is this even possible?  Any ideas - Linux
comes to mind, but I can resort to Windows if their is no other

If we went ahead with this proposal I would do so only if I
received in writing, a policy of non-inteference from their
group.  Examples include any problems with respect to
networking, virus/trojans/worms, logs filling up - all those
would be their problem and not ours. Complaining to management
about these problems would also be prohibited - if their logs
fill up that's their problem.  We would not be told to stop
doing anything on our network.  They would be banned from
sniffing/logging/or otherwise examining any of our traffic.  All
this is to prevent that one individual from being allowed to
impose his personal will on our group.

I would like to hear your answers to my questions and any issues
I may have not thought about.

Linda Ruiz :)

For my non-geek friends:
Friends don't email friends .exe or .com files.  So don't open those types
of attachments!!
For my geek friends:
Adopt a newbie....
DShield and the Internet Storm Center are sponsored by the SANS Institute.
To learn more about current SANS training, see http://www.sans.org .

send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see:
NOTICE OF CONFIDENTIALITY-The information in this email, including
attachments, may be confidential and/or privileged and may contain
confidential health information. This email is intended to be reviewed only
by the individual or organization named as addressee. If you have received
this email in error please notify Scottsdale Medical Imaging, an affiliate
of Southwest Diagnostic Imaging, LTD immediately - by return message to the
sender or to support at esmil.com - and destroy all copies of this message and
any attachments. Please note that any views or opinions presented in this
email are solely those of the author and do not necessarily represent those
of Scottsdale Medical Imaging. Confidential health information is protected
by state and federal law, including, but not limited to, the Health
Insurance Portability and Accountability Act of 1996 and related

More information about the list mailing list