[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] OT - TCPDUMP posts risk or not?

To: 'Ivan Fox' <ifox100@hotmail.com>, Aaron Turner <aturner@vicinity.com>
Subject: RE: [FW1] OT - TCPDUMP posts risk or not?
From: "Paquette, Trevor" <TrevorPaquette@metronet.ca>
Date: Mon, 17 Apr 2000 10:28:12 -0600
Cc: "Firewall-Wizards@Nfr. Net" <firewall-wizards@nfr.net>, "Firewalls@Lists. Gnac. Net" <firewalls@Lists.GNAC.NET>, Firewall 1 Mail List <fw-1-mailinglist@lists.us.checkpoint.com>

    [ The following text is in the "iso-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]


Hmm.. TCPDUMP does not even use a port. It uses a local network interface.

Is the device that he wants TCPDUMP access to on HIS network? Does it only
touch his network devices? If so.. let him have it. It's his neck, not
yours.

If the device that he wants TCPDUMP access to on yours or your client
networks; then give him and un-equivicable no. The security risk is to high
for your networks and your client networks. Not only do you need to make him
aware of this situation; but also your senior managers and your sales folks
as well.



> -----Original Message-----
> From: Ivan Fox [SMTP:ifox100@hotmail.com]
> Sent: Friday, April 14, 2000 9:33 PM
> To:   Aaron Turner
> Cc:   Firewall-Wizards@Nfr. Net; Firewalls@Lists. Gnac. Net; Firewall 1
> Mail List
> Subject:      Re: [FW1] OT - TCPDUMP posts risk or not?
> 
> 
> The actual scenario is:
> 
> The customer has a VPN device on his campus and places an VPN device in
> our
> building to create a site to site tunnel.  He has also configured the VPN
> in
> our building to "route" encrypted data back to his VPN and "non encrypted"
> data to a server in our internal network.  I cannot obtain the documented
> configuration.  I have made protocol 50 and 51 and udp port 500 on the
> firewall so that his VPN device can talk to his VPN device in our
> building.
> He also wanted to have port 4000 opened for TCPDUMP and ports 9874, 9875
> and
> 9876 for monitoring the VPN device in our building.
> 
> Any comments/suggestions are greatly appreciated.
> 
> Thanks for all input in advance.
> 
> Ivan
> 
> 
> 
> ----- Original Message -----
> From: "Aaron Turner" <aturner@vicinity.com>
> To: "Ivan Fox" <ifox100@hotmail.com>
> Cc: "Firewall 1 Mail List" <fw-1-mailinglist@lists.us.checkpoint.com>
> Sent: Friday, April 14, 2000 6:38 PM
> Subject: Re: [FW1] OT - TCPDUMP posts risk or not?
> 
> 
> >
> >
> > I'd say this is highly suspicous and would be a definate red flag.  My
> > company does a lot of business with Fortune 1000 companies such as FedEx
> > and Ford, as well as companies such as Network Solutions.  While some of
> > these customers have requested 3rd party security audits of our servers
> > and network, none have ever requested the ability to have access to
> > tcpdump on *my* servers.
> >
> > If they ever asked for such access, I'd tell them I'd be more than happy
> > to do that when cows fly in a frozen hell; but until then they are out
> of
> > luck.
> >
> > Also, I've never heard of any link between port 4000 and tcpdump.  I
> don't
> > know what they're pulling, but it isn't kosher.
> >
> > --
> > Aaron Turner        aturner@vicinity.com  650.237.0300 x252
> > Security Engineer                         Vicinity Corp.
> > Cell: 408-314-9874                        http://www.vicinity.com
> >
> > On Fri, 14 Apr 2000, Ivan Fox wrote:
> >
> > >
> > > I am extremely sorry that I have posted two OT messages today as the
> lists
> > > are my only sources of quality advice.  If there are other security
> mail
> > > lists for these types of questions, kindly let me know.  Thanks for
> your
> > > understanding in advance.
> > >
> > >
> > > One of our customers insisted us to open up port 4000 to allow them to
> > > transfer/monitor/use TCPDUMP.  We hestitated.  He threatens not to do
> > > business with us!
> > >
> > > Any security advice about TCPDUMP is greatly appreciated.
> > >
> > > Best regards,
> > >
> > > Ivan
> > >
> > >
> > >
> > >
> ==========================================================================
> ==
> ====
> > >      To unsubscribe from this mailing list, please see the
> instructions
> at
> > >                http://www.checkpoint.com/services/mailing.html
> > >
> ==========================================================================
> ==
> ====
> > >
> >
> >
> >
> >
> ==========================================================================
> ==
> ====
> >      To unsubscribe from this mailing list, please see the instructions
> at
> >                http://www.checkpoint.com/services/mailing.html
> >
> ==========================================================================
> ==
> ====
> >
> 
> 
> ==========================================================================
> ======
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ==========================================================================
> ======


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: Re: Changing Destination IP address
Next by Date: setting up proxy services for SNMP
Prev by thread: Re: [FW1] OT - TCPDUMP posts risk or not?
Next by thread: FW: Transparent Proxy and IPChains
Index(es):
- Date
- Thread