[Dshield] Ramifications of opening up MS Networking across IP X/SPX - to IP?
chris.meidinger at badenit.de
Thu Oct 7 10:03:09 GMT 2004
> 1. Can't trojans/worms/viruses still traverse the IP/IPX
> boundary simply by infecting their PDC and therefore infect
> our network as well?
If their PDC is infected, is running IP, and can open new connections
machines on your network, then it can infect your network.
> 2. They will be able to see our entire Network from that PDC.
> What is to stop them from adding our Domain to the PDC's
> browse list and in effect publishing our Network machine
> names to their entire user base?
If the trust is one way, meaning that their pdc trusts yours, but not the
other way around, (you mentioned that earlier) you are safe in the sense
that their accounts cannot access resources on your network. However, if
they have any IP access to your network, then they can enumerate domain
computers and user accounts without even bothering to do it from the pdc.
smbclient from the samba suite is a good starting point, but there are many
other netbios enumeration tools.
> 3. Is my concern about exposing our machine names to a
> network (and their users) which I do not control valid?
In my opinion, the names are not that sensitive. I assume that they know
your IP space, they can just query your DNS or WINS for the names. If there
is any connection to a windows network, it will shout the names in every
direction. There is no way (except switch trickery, like blocking
broadcasts, which will open a host of other problems) to hide names on a
netbios network. If you are really tricky, you can set the hostnames (DNS)
different that the netbiosnames -- i am fairly sure that this still works in
server 200 -- and let them stumble around.
> 4. If I remove IPX/SPX from all my servers, except the lone
> DB server they need to access on our side, will this provide
> any measure of protection from virus/worm/trojans and one
> snoop happy admin?
No. Different Protocol != Security Measure
> 5. What kind of misconfiguration on their side or mine could
> open us up entirely to their network traffic?
I agree with a previous poster -- you need a firewall, not a router. Allow
only outgoing traffic from workstations on your side to the netbios ports on
their pdc, and you should be as OK as you can get.
> I would like to implement a special IPX/IP translating router
> myself on our side which would translate IPX to IP and also
> restrict incoming access to our DB server, and responses to
> our workstation requests. Is this even possible? Any ideas
> - Linux comes to mind, but I can resort to Windows if their
> is no other choice.
> If we went ahead with this proposal I would do so only if I
> received in writing, a policy of non-inteference from their
> group. Examples include any problems with respect to
> networking, virus/trojans/worms, logs filling up - all those
> would be their problem and not ours. Complaining to
> management about these problems would also be prohibited - if
> their logs fill up that's their problem. We would not be
> told to stop doing anything on our network. They would be
> banned from sniffing/logging/or otherwise examining any of
> our traffic. All this is to prevent that one individual from
> being allowed to impose his personal will on our group.
I've never heard of an aggreement which specified 'no complaining' -- is
this really practicable?
Are your two departments this much at war? What about just getting a linux
box running to provide the services you need from their network, and once
that works cutting all access to their net?
Just some thoughts,
More information about the list