Vista Forums - View Single Post

08-15-2007

(...didn't see this other thread about the same issue, but I'll reply here
as well...)

Prior versions of Windows implemented the "weak end-system" (as opposed to
the "weekend system," haha) model in the IP stack. Windows Vista implements
the "strong end-system" model, which makes the kind of attack Jesper
describes less likely. Here's a description of the differences, quoted from
http://www.microsoft.com/technet/com...uy/cg0905.mspx
(there, the Cable Guy uses the term "host model" rather than "end-system
model):

When a unicast packet arrives at a host, IP must determine whether the
packet is locally destined (its destination matches an address that is
assigned to an interface of the host). IP implementations that follow a weak
host model accept any locally destined packet, regardless of the interface
on which the packet was received. IP implementations that follow the strong
host model only accept locally destined packets if the destination address
in the packet matches an address assigned to the interface on which the
packet was received. The current IPv4 implementation in Windows XP and
Windows Server 2003 uses the weak host model. The Next Generation TCP/IP
stack supports the strong host model for both IPv4 and IPv6 and is
configured to use it by default. You can configure the Next Generation
TCP/IP stack to use a weak host model. The weak host model provides better
network connectivity. However, it also makes hosts susceptible to
multihome-based network attacks.

Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley

"thinkstorm" <thorsten.claus@gmail.com> wrote in message
news:1186683655.796898.222350@b79g2000hse.googlegroups.com...
> On Aug 9, 11:56 am, Jesper <Jes...@discussions.microsoft.com> wrote:
>> Yes, it is possible. If you receive packets with an internal source
>> address
>> on the external interface it will send the response to the internal
>> address.
>> There are obviously some restrictions with this, but it is perfectly
>> sufficient to propagate some attacks to the inside, for instance.
>
> Neat idea

Yes, I see how that could work... So the question is:
> is my firewall better than the company's firewall (because I can
> access the Internet through the VPN connection, only that I then would
> exit through the T1 that is shared with my 50 co-workers...)

>
> Thanks Jesper, I will look for someone to do a little audit about that
> issue...
>
> Cheers,
> Thorsten
>
>

08-15-2007	#6 (permalink)
Steve Riley [MSFT] n/a posts	Re: Vista Business, VPN, and Split Tunnels (...didn't see this other thread about the same issue, but I'll reply here as well...) Prior versions of Windows implemented the "weak end-system" (as opposed to the "weekend system," haha) model in the IP stack. Windows Vista implements the "strong end-system" model, which makes the kind of attack Jesper describes less likely. Here's a description of the differences, quoted from http://www.microsoft.com/technet/com...uy/cg0905.mspx (there, the Cable Guy uses the term "host model" rather than "end-system model): When a unicast packet arrives at a host, IP must determine whether the packet is locally destined (its destination matches an address that is assigned to an interface of the host). IP implementations that follow a weak host model accept any locally destined packet, regardless of the interface on which the packet was received. IP implementations that follow the strong host model only accept locally destined packets if the destination address in the packet matches an address assigned to the interface on which the packet was received. The current IPv4 implementation in Windows XP and Windows Server 2003 uses the weak host model. The Next Generation TCP/IP stack supports the strong host model for both IPv4 and IPv6 and is configured to use it by default. You can configure the Next Generation TCP/IP stack to use a weak host model. The weak host model provides better network connectivity. However, it also makes hosts susceptible to multihome-based network attacks. Steve Riley steve.riley@microsoft.com http://blogs.technet.com/steriley "thinkstorm" <thorsten.claus@gmail.com> wrote in message news:1186683655.796898.222350@b79g2000hse.googlegroups.com... > On Aug 9, 11:56 am, Jesper <Jes...@discussions.microsoft.com> wrote: >> Yes, it is possible. If you receive packets with an internal source >> address >> on the external interface it will send the response to the internal >> address. >> There are obviously some restrictions with this, but it is perfectly >> sufficient to propagate some attacks to the inside, for instance. > > Neat idea Yes, I see how that could work... So the question is: > is my firewall better than the company's firewall (because I can > access the Internet through the VPN connection, only that I then would > exit through the T1 that is shared with my 50 co-workers...) > > Thanks Jesper, I will look for someone to do a little audit about that > issue... > > Cheers, > Thorsten > >
My System Specs