Wednesday, January 31, 2007

Solaris 10 Ping-of-Death

Once again, proof that "oldie-but-goodie" attacks (to quote Ed Skoudis) are still prevalent, and, scarier yet, still EFFECTIVE, ISC announced that there is a Ping-of-Death attack that will cause a kernel panic on Solaris 10. As of right now, there's not much info, you can read more over at ISC.

The obvious mitigation is to filter ping (ICMP echo-request) at your border router/firewall. There isn't much need to allow ping into your network.

Enjoy.

Labels: ,

Netscreen VIP ("Service not supported for this VIP")

While setting up a Netscreen 5GT, I ran into a bit of a perplexing issue.

Some background:

I was setting up the 5GT to do interface NAT from the Trust interface to the Untrust interface, with one caveat. I wanted to be able to Ssh from the Untrust interface to a machine on the Trust interface. Simple VIP (Virtual IP) right? Yes and no. In this case, since I had only 1 IP to play with on the Untrust interface, I setup the VIP on the Untrust IP itself.

The problem: when trying to create a VIP service (Network -> Interface -> Edit -> VIP/VIP Services, click on New VIP Service) with the Ssh port (22) on the same IP as the Untrust interface, it balks with the error message: "Service (port=22) not supported for this vip 192.168.1.1". WTF?

Turns out, that even though the Ssh management wasn't enabled on the Untrust interface, it still had the port reserved, such that I couldn't create a VIP service on that port. In order to get this to work, I had to change the Ssh port on the management (still disabled mind you) settings to 2222, so that I could then create the VIP service. To do this, in the WebUI, click on Configuration -> Admin -> Management, and change the Ssh port. If you wish to serve port 80 in a similar fashion, you'll need to change the HTTP port as well.

UPDATE: A reader (wow, someone actually reads this mindless drivel!) pointed out that this alone doesn't fix the problem, as you also need to create a policy rule that allows the Ssh traffic to pass through. In the WebUI, click on Policies. Set the drop down boxes at the top of the page to:

From: Untrust To: Trust

and click on New (in the right hand corner). Name the Policy something meaningful, and set the Source address to (ideally) a list of subnets to allow access from. Set the destination address to the VIP interface that you created (for me VIP::1), set the Service to SSH, and make sure the Action is set to Permit. Adjust other settings as necessary for your environment.

Enjoy.

Labels: , , ,