Welcome to ISAserver.org

Identifying computers

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA 2006 Firewall] >> General >> Identifying computers

Page: [1]

Message

<< Older Topic Newer Topic >>

Identifying computers - 8.Sep.2008 2:44:06 PM

john.r.perfect

Posts: 15
Joined: 12.Mar.2008
Status: offline

Is there any way to identify computers to ISA other than by IP? I’ve been working in ISA and haven’t been able to find a way to use anything else.

I’m asking because I want to head off IP spoofing.

Certificates can only be used for external access, correct?

Thanks.

_____________________________

-Perfect

Post #: 1

Featured Links*

RE: Identifying computers - 8.Sep.2008 4:33:34 PM

pwindell

Posts: 782
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline

ISA will handle the spoofing all by itself without any intervention.

Don't have anonymous Rules and you won't have to worry about it because you will validate by user account instead of source IP#s.

How is a spoofed LAN IP going to accomplish anything? If ISA thinks the packet came from say, 192.168.23.4 but it is spoofed,...where is the ISA going to "reply" to? It is going to reply to 192.168.23.4 which is going to pass back to the real machine with that IP# and not the "hacker" and then the communication will fail. If someone can explain that to me, great, I'm ready to listen,...but that has always been the big mystery to me,...how can you "lie" about your source IP#,...and then actually carry on a "conversation" at Layer3 which requires a correct source IP# (not a fake one) in order to function?

_____________________________

Phillip Windell
www.wandtv.com

(in reply to john.r.perfect)

Post #: 2

RE: Identifying computers - 9.Sep.2008 8:07:02 AM

paulo.oliveira

Posts: 835
Joined: 3.Jan.2008
From: Amazonas, Brazil
Status: offline

Hi Phillip,

maybe this link can help you understand: http://www.securityfocus.com/infocus/1674

"...however, contains the source and destination IP addresses. Using one of several tools, an attacker can easily modify these addresses – specifically the “source address” field"

Regards,
Paulo Oliveira.

(in reply to pwindell)

Post #: 3

RE: Identifying computers - 9.Sep.2008 9:23:02 AM

pwindell

Posts: 782
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline

Thanks,
I'll check it out.

But I understand the sourece address can be modified,...that's not the part I don't understand.

The problem is that the "hacker" is not really at the address they are "spoofing",...and all TCP communication is "two-way" so the "replies" or "acknowledgments" will be sent back to the spoofed address instead of the address the hacker is really at,...so what good does it do?

It would be like me sending you a piece of snail-mail with a fake return address,...when you reply you will reply to the fake return address,...and I won't get it,...so what good was it?

Anyway,..I'll check out the link.

_____________________________

Phillip Windell
www.wandtv.com

(in reply to paulo.oliveira)

Post #: 4

RE: Identifying computers - 9.Sep.2008 9:43:00 AM

pwindell

Posts: 782
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline

Here's a quote from that link that "kinda-sorta" says what I am trying to say:

Misconceptions of IP Spoofing
While some of the attacks described above are a bit outdated, such as session hijacking for host-based authentication services, IP spoofing is still prevalent in network scanning and probes, as well as denial of service floods. However, the technique does not allow for anonymous Internet access, which is a common misconception for those unfamiliar with the practice. Any sort of spoofing beyond simple floods is relatively advanced and used in very specific instances such as evasion and connection hijacking.

So, I'm not denying the threat,..I'm just saying that you aren't going to simply fake you IP# and go running "willy nilly" around on someone's network with it (like I'm afraid many people think). It is a whole lot more complex than that. For most of the real damage you can do with it you have to physically be on the same subnet, like with the session hyjacking stuff,...beyond that you are mostly left with just DoS attempts. Dos is a pain or course but they aren't going to commit Corporate Espionage with it,...and ISA is pretty good at dealing with floods and DoS attacks all by itself.

Yes,..I had to use a spell-checker for "Espionage"