Subject: | |
From: | |
Reply To: | |
Date: | Fri, 20 Oct 2006 12:35:58 -0400 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
On Fri, 20 Oct 2006 12:11:38 -0400, Bruce A. Locke <[log in to unmask]> wrote:
>On Fri, 2006-10-20 at 11:47 -0400, Joe Feise wrote:
>> http://www.securityfocus.com/archive/1/444424/30/0/threaded
>> It is no surprise that code shows up in the wild. As I said in another
>> thread, a reasonably smart computer science student can easily bypass the
>> TCP fingerprinting. And it is no surprise either that they help their fellow
>> non-CS students to get around the OS detection.
>> Our proof-of-concept code changes the TCP parameters to match a Mac, but it
>> could be any one of the currently 21 operating systems the underlying
>> security cloak tool supports. Or the TCP parameters could be changed
>> manually to values that aren't found in any OS.
>
>Sigh, more "security announcements" of things figured out years ago and
>not unique to CCA at all. Modifying TCP stack settings to make an OS
>appear to be different to OS finger printing techniques is so... 1999
>or earlier-ish.
Sure it is. That's why it was surprising that Cisco uses that. The flawed
use of TCP fingerprinting is what the advisory is about.
>These are all well known issues that should already be known by any
>halfway competent network administrator deploying a NAC solution.
I agree.
>Reasonable solutions that don't involve forcing draconian
>processor/kernel level signed code techniques in operating systems or
>ditching Ethernet and TCP/IP are outlined in Cisco's response.
Using Nessus, you mean? In my answer I outlined a $20 workaround for that.
>The only true solution is people powered and if the admin feels it might
>be a problem there are ways to see through what you've outlined. It is
>up to the administrator to decide if its worth the time to whip out the
>cluebat and punish those users for violating the terms of service of the
>network.
Sure. But the users may indeed run Macs. Short of people having to present
their computers, you can't prove violations.
|
|
|