[ previous ] [ next ] [ threads ]
 
 From:  "Brandon Holland" <brandon at cookssaw dot com>
 To:  "'Falcor'" <falcor at netassassin dot com>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] windows built in "ident"...
 Date:  Tue, 30 Dec 2003 15:18:10 -0600
Everything that examines a packet is potentially a security risk.

Since I don't need to give an ident response (just a reset packet), I'd
hate taking the (albeit minimal) risk.  

The PERL script or the interpreter could be flawed.  It also takes
overhead to use and interpret it.

To me, besides being a security risk it is a waste of my time (to
configure and maintain), and server resources.  Besides, I don't have an
"extra" server, and I wouldn't want to put a direct port forward (for
perl or any program) straight to my main server.

Port forwards should never go to your "GREEN" connection - only go to
your DMZ.  (That'd defeat the purpose of DMZ)

I'm just saying, I'd rather have the weakest link be the BSD tcp stack
(which I hear is probably the best tcp implementation period) than
something else.

Ideally in my situation, only a select group of IP's get a RESET packet
(IRC servers and the like) Everything else? It'd get dropped.  

If I had something that actually needed a "correct" ident response
(maybe there are still some IRC servers out there that must "qualify"
you?) maybe then, if those IRC servers were important, I'd do it. BUT: I
still wouldn't want a port forward straight into my LAN.

Ideally, in that case, it'd be its own separate server in the DMZ.
Assuming your DMZ is well protected (and set up with performance
counters and other "detection" algorithms), you now know, and have time
to correct a flaw (and to kick out a hacker)

I didn't mean to turn this into a rant :) but F.Y.I. even NTP servers as
humble and simple as they are have fallen victim to hackers able to act
upon a flaw in NTP.

Still wanting "rejection,"
Brandon

-----Original Message-----
From: Falcor [mailto:falcor at netassassin dot com] 
Sent: Tuesday, December 30, 2003 1:45 PM
To: Brandon Holland
Cc: 'Mitch (WebCob)'; m0n0wall at lists dot m0n0 dot ch
Subject: Re: [m0n0wall] windows built in "ident"...

I use a PERL application that mimics an IDENTd daemon.  I then forward 
all identd requests to that unix server.  All my internal clients then 
can access IRC and other identd based auth systems with no problems. 
 And I don't risk much as the perl script simply replies with what I put

in a text file as the ident info, and not a compramizable component on a

windows box.

Brandon Holland wrote:

>You can allow IDENT based on certain IP's (say if you use a select
group
>of IRC servers)
>
>And if we can add a "REJECT" you don't even have to fully allow ident
>anyway.  (Leave out your IRC app as a possibly hackable component)
>
>-----Original Message-----
>From: Mitch (WebCob) [mailto:mitch at webcob dot com] 
>Sent: Tuesday, December 30, 2003 2:43 AM
>To: m0n0wall at lists dot m0n0 dot ch
>Subject: [m0n0wall] windows built in "ident"...
>
>this may not be in here yet... maybe it's not easy... but if someone
>could
>point me in the right direction that would be a start...
>
>Other firewalls support passing requests made by certain
applications...
>zone alarm or black ice for example - and the parts they have
integrated
>with linksys routers... can detect a bogus HTTP request generated by a
>program OTHER THAN Internet Explorer (like by a virus or a messenger
>program
>trying to circumvent the firewall) and shut them down...
>
>They are able to detect the NAME of the application initiating the
>request...
>
>I'm thinking this is parallel to identd, but seems to be built into
>windows... Does anyone know what it's called or where the protocol is
>defined? Could be an interesting addition... I'd like to poke around in
>this
>area, but can't find where to start.
>
>Thanks.
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>  
>