On Fri, 20 Oct 2006 12:11:38 -0400, Bruce A. Locke <[log in to unmask]> wrote:

>On Fri, 2006-10-20 at 11:47 -0400, Joe Feise wrote:
>> http://www.securityfocus.com/archive/1/444424/30/0/threaded
>> It is no surprise that code shows up in the wild. As I said in another
>> thread, a reasonably smart computer science student can easily bypass the
>> TCP fingerprinting. And it is no surprise either that they help their fellow
>> non-CS students to get around the OS detection.
>> Our proof-of-concept code changes the TCP parameters to match a Mac, but it
>> could be any one of the currently 21 operating systems the underlying
>> security cloak tool supports. Or the TCP parameters could be changed
>> manually to values that aren't found in any OS.
>
>Sigh, more "security announcements" of things figured out years ago and
>not unique to CCA at all.  Modifying TCP stack settings to make an OS
>appear to be different to OS finger printing techniques is so...  1999
>or earlier-ish.

Sure it is. That's why it was surprising that Cisco uses that. The flawed
use of TCP fingerprinting is what the advisory is about.

>These are all well known issues that should already be known by any
>halfway competent network administrator deploying a NAC solution.

I agree.

>Reasonable solutions that don't involve forcing draconian
>processor/kernel level signed code techniques in operating systems or
>ditching Ethernet and TCP/IP are outlined in Cisco's response.

Using Nessus, you mean? In my answer I outlined a $20 workaround for that.

>The only true solution is people powered and if the admin feels it might
>be a problem there are ways to see through what you've outlined.  It is
>up to the administrator to decide if its worth the time to whip out the
>cluebat and punish those users for violating the terms of service of the
>network.

Sure. But the users may indeed run Macs. Short of people having to present
their computers, you can't prove violations.