Yes Yes, can imagine.... hopefully, we are using antispoof filters over the borders .... and have to agree on, that to know the
content of ACL is important...
anyway...see your point..
cheers..
Alex
> -----Original Message-----
> From: Damir Rajnovic [mailto:gaus@cisco.com]
> Sent: Friday, May 10, 2002 3:13 PM
> To: kf@reign.sk; psirt@cisco.com; cisco-nsp@puck.nether.net
> Subject: RE: [nsp] Cisco Security Advisory: NTP vulnerability
>
>
> At 15:02 10/05/2002 +0200, KF wrote:
> >I was thinking of using access list for NTP daemon e.g. ntp
> access-group server 99.....
>
> You can use ntp access-group server but only to mitigate the exposure.
> All you need to do is to spoof the right source IP. This will allow
> the execution of control packets so you are still exposed.
>
> Gaus
>
> ==============
> Damir Rajnovic <psirt@cisco.com>, PSIRT Incident Manager,
> Cisco Systems
> <http://www.cisco.com/go/psirt> Telephone: +44 7715 546 033
> 200 Longwater Avenue, Green Park, Reading, Berkshire RG2 6GB, GB
> ==============
> There is no insolvable problems.
> The question is can you accept the solution?
>
>
>
This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:44 EDT