Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Firewall Wizards: Re: internal numbers visible when browsing

Re: internal numbers visible when browsing

From: S. Jonah Pressman <jonah_at_istar.ca>
Date: Tue, 26 Sep 2000 11:50:35 -0400

JF:

The last thing you want an intruder to do is to pretend that he/she is
coming from a trusted inside address when, in fact, the intruder is
somewhere else altogether (i.e. spoof).

Your best line of defence in this case without adding hardware is to add a
simple rule to the border router that will deny incoming traffic at the
outer NIC pretending to come from a source address 172.16.n.0/24
notwithstanding that RFC 1918 describes 172.16.0.0/12 as a private address
range and is, by most vendor defaults not routed....

Cisco Example (note the Cisco Wildcard for /24):

# config t
(config)# ip access-list extended 101
(config-ext-nacl)# access-list 101 deny ip 172.16.1.0 0.0.0.255 any log
(config-ext-nacl)# access-list 101 deny ip 172.16.2.0 0.0.0.255 any log
(config-ext-nacl)# access-list 101 deny ip 172.16.3.0 0.0.0.255 any log
(config-ext-nacl)# <...and so on with your rules>

don't forget to apply the access-list to incoming traffic on the outside
interface

Cisco Example (assuming serial interface):

# config t
(config)# interface serial0
(config-if)# ip access-goup 101 in

Best Regards,
Jonah

jf_at_gmx.net wrote:

> Hi everybody,
>
> This question may sound silly but.......
>
> Consider the following:
>
> internal net: router: Internet
>
> 172.16.1.0/24 172.16.1.252 XXX.XXX.XXX.XXX
>
> 172.16.2.0/24
>
> 172.16.3.0/24
>
> All the subnets 172.16.yyy.yyy connect via the router to XXX.XXX.XXX.XXX
>
> When trying to find out which information is given outside the company's
> net
> by Browsers (MSIE, Netscape), I found out that except from 172.16.1.0/24
> the internal
> IP ( 172.16.2.yyy ..) was transmitted.
>
> Does that mean a risk for the company ? Remember: there is no Firewall,
> just a screening router.....
>
> thanks, jf
>
> _______________________________________________
> Firewall-wizards mailing list
> Firewall-wizards_at_nfr.net
> http://www.nfr.net/mailman/listinfo/firewall-wizards 

--
S. Jonah Pressman
President
NCS Data Inc.
Thornhill, Ontario, Canada
jpressman_at_bigfoot.com
------------ 'ome is where you hang your @ -----------------
_______________________________________________
Firewall-wizards mailing list
Firewall-wizards_at_nfr.net
http://www.nfr.net/mailman/listinfo/firewall-wizards
Received on Oct 01 2000
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]