On Mar 5, 20:07, Neil W Rickert wrote:
> I am surprised to see this described as a flaw. It is behavior I
> have been relying on for some time. Specifically, on my client
> machines, I add a route to the alternate interface of my servers via
> the direct interface of the same server. This allows direct
> connection to the server without relying on a router, regardless of
> which IP address is used for the service. For NFS clients, I
> consider it important to be able to do this.

We use a similar trick to provide failover between internal LANs for
our servers: Every functioning interface announces the 'well-known'
server address via a routing protocol, and the clients either run gated
or rely on a router to pick the best route that they see an
announcement for.

> If there is a flaw, it is surely in the thinking of people who
> mistakenly assumed that multi-homed systems would not behave so as to
> allow this.

I concur totally. Back when I designed security solutions (admittedly
high end) for a living, best practice was that any system with a reason
to distinguish its interfaces must have the less secure one on a
dedicated LAN segment to a real router with antispoofing filters in
place. And that includes commercial firewalls.

(Of course a firewall should by default discard packets arriving at the
wrong interface, but better safe than sorry).

The farm of misconfigured NT web servers should be on a different LAN
interface on the router, so rooting one won't enable an attacker to
install password sniffers or send malformed or misrouted packets to the
firewall/ mail gateway/ whatever.

--
Lars.Mathiesenecmwf.int
ECMWF, Shinfield Park,
Reading, Berks.
RG2 9AX  England

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]