[Dshield] Ramifications of opening up MS Networking across IPX/SPX - to IP?

Linda Ruiz linlu at yahoo.com
Thu Oct 14 00:01:39 GMT 2004


Thanks for your response, I am so far behind in my reading!!

I am leaning toward an IP solution with a firewall (that we run)
using our fave, IPTables to limit the access to just their PDC
on the Netbios ports from our user machines (not servers) as you
& others have recommended.  I wish there was a Netbios proxy -
non MS that is, that I could also put up - does anyone know of
one?  I could also have rules to limit/stop scans to x/minute in
case the PDC was infected on their side and began trying to
infect our side using the Netbios ports.

The easier part is our DB server, it's a DB protocol on a DB
port.  Rules for that are easy.

The only other issue I see, and which I can fix - is that we
have an overlap in our subnets.  I can move our stuff around on
our side to ensure that the traffic is routed properly across
the new firewall.

As for the no blame feature, let's just say the other side's
admins in the past blamed our group for every hiccup that
occurred when we were on their network.  I would at a minimum
only allow the Netbios (filtered/firewalled) linking to happen
if a no gripe policy was in place and they were banned from
scanning any of our traffic (suspension or firing).  

If they don't agree to our terms, then fine.  We'll make them
come to our DB server via Citrix.  We'll get email forwarded to
our email server.  Sharing files would have to be done via FTP. 
It will require additional work on our part, but it would cut
the link once and for all.

Thanks again,
Linda Ruiz :)
> Message: 3
> Date: Thu, 7 Oct 2004 12:03:09 +0200 
> From: Meidinger Chris <chris.meidinger at badenit.de>
> Subject: RE: [Dshield] Ramifications of opening up MS
> Networking
> 	across IP	X/SPX - to IP?
> To: General DShield Discussion List <list at lists.dshield.org>
> Message-ID:
> <23ADBF4236843B469BE57F05F135897603F91114 at srvntexc2.swfr>
> Content-Type: text/plain
> 
> > 1.  Can't trojans/worms/viruses still traverse the IP/IPX 
> > boundary simply by infecting their PDC and therefore infect 
> > our network as well?
> 
> If their PDC is infected, is running IP, and can open new
> connections
> machines on your network, then it can infect your network.
> 
> > 2.  They will be able to see our entire Network from that
> PDC. 
> > What is to stop them from adding our Domain to the PDC's 
> > browse list and in effect publishing our Network machine 
> > names to their entire user base?  
> 
> If the trust is one way, meaning that their pdc trusts yours,
> but not the
> other way around, (you mentioned that earlier) you are safe in
> the sense
> that their accounts cannot access resources on your network.
> However, if
> they have any IP access to your network, then they can
> enumerate domain
> computers and user accounts without even bothering to do it
> from the pdc.
> smbclient from the samba suite is a good starting point, but
> there are many
> other netbios enumeration tools.  
> 
> > 3.  Is my concern about exposing our machine names to a 
> > network (and their users) which I do not control valid?
> 
> In my opinion, the names are not that sensitive. I assume that
> they know
> your IP space, they can just query your DNS or WINS for the
> names. If there
> is any connection to a windows network, it will shout the
> names in every
> direction. There is no way (except switch trickery, like
> blocking
> broadcasts, which will open a host of other problems) to hide
> names on a
> netbios network. If you are really tricky, you can set the
> hostnames (DNS)
> different that the netbiosnames -- i am fairly sure that this
> still works in
> server 200 -- and let them stumble around.
> 
> > 4.  If I remove IPX/SPX from all my servers, except the lone
> 
> > DB server they need to access on our side, will this provide
> 
> > any measure of protection from virus/worm/trojans and one 
> > snoop happy admin?
> 
> No. Different Protocol != Security Measure
> 
> > 5.  What kind of misconfiguration on their side or mine
> could 
> > open us up entirely to their network traffic?
> 
> I agree with a previous poster -- you need a firewall, not a
> router. Allow
> only outgoing traffic from workstations on your side to the
> netbios ports on
> their pdc, and you should be as OK as you can get.
> 
> > I would like to implement a special IPX/IP translating
> router 
> > myself on our side which would translate IPX to IP and also 
> > restrict incoming access to our DB server, and responses to 
> > our workstation requests.  Is this even possible?  Any ideas
> 
> > - Linux comes to mind, but I can resort to Windows if their 
> > is no other choice.
> 
> iptables
> 
> > If we went ahead with this proposal I would do so only if I 
> > received in writing, a policy of non-inteference from their 
> > group.  Examples include any problems with respect to 
> > networking, virus/trojans/worms, logs filling up - all those
> 
> > would be their problem and not ours. Complaining to 
> > management about these problems would also be prohibited -
> if 
> > their logs fill up that's their problem.  We would not be 
> > told to stop doing anything on our network.  They would be 
> > banned from sniffing/logging/or otherwise examining any of 
> > our traffic.  All this is to prevent that one individual
> from 
> > being allowed to impose his personal will on our group.
> 
> I've never heard of an aggreement which specified 'no
> complaining' -- is
> this really practicable? 
> 
> Are your two departments this much at war? What about just
> getting a linux
> box running to provide the services you need from their
> network, and once
> that works cutting all access to their net? 
> 
> Just some thoughts,
> 
> Cheers,
> 
> Chris
> 
> 
> ------------------------------
> 
> _______________________________________________
> list mailing list
> list at lists.dshield.org
> http://www.dshield.org/mailman/listinfo/list
> 
> 
> End of list Digest, Vol 22, Issue 8
> ***********************************
> 


=====
For my non-geek friends:
Friends don't email friends .exe or .com files.  So don't open those types of attachments!!
For my geek friends:
Adopt a newbie....



More information about the list mailing list