[olug] VNC w/Qwest
Daniel Linder
dan at linder.org
Tue Oct 16 15:51:52 UTC 2007
On Tue, October 16, 2007 09:14, Luke -Jr wrote:
> Network debugging is always a need.
I agree, but I don't want to let my network be remotely "debugged" by
every script-kiddie who figured out how to bring up nmap and started
blasting ICMP packets at my internal network.
> There are no security concerns related to ICMP.
In my line of work, "security concerns" are more than just "can an ICMP
packet kill my machine" (Google "teardrop attack" - sure, it's supposedly
fixed now, but early revisions of the Vista TCP/IP stack had this exact
same bug!)
Furthermore, security involves more than just ports on a firewall -
specifically, it involves internal data. If someone knows that they can
send ICMP packets through the firewall, then they have the basis for a
covert channel for data communication. (Google "icmp tunneling")
> Every IPv4 address includes at least one /48 IPv6 subnet. I think two, but
> I could be wrong (maybe even more). IPv4 address aaa.bbb.ccc.ddd includes
> IPv6 subnet 2002:aabb:ccdd::/48, including automatic routing around
> IPv4-only routers. If I ping 2002:your:ipv4::1, you *will* see it in
> tcpdump (unless your ISP is evil and explicitly blocks it).
Now that I didn't know -- I'll have to brush up on my V6 a bit when I get
some time.
Dan
- - - -
"There are four boxes to be used in defense of liberty: soap, ballot,
jury, and ammo. Please use in that order."
-- Ed Howdershelt (Author)
"I do not fear computers, I fear the lack of them." -- Isaac Asimov (Author)
** *** ***** ******* *********** *************
Clandestine, Glock, Scully, Artichoke, SHF, virus, POCSAG
orthodox, SABC, MSNBC, Rapid Reaction, DITSA, CCS, AVN
BITNET, Secure, Compsec 97, Fax, EADA, B.D.M.,Sphinx, TRW
More information about the OLUG
mailing list