sra@MITRE-BEDFORD.ARPA (12/05/85)
I would like to start a dialogue on network security. We currently have one host on the Milnet and are about to hook up our Ethernet subnet through a gateway. The problem is that upper level management is deathly afraid of hackers rummaging around throughout our network. It seems that one host on the network is almost acceptable but many may open up Pandoras box. What types of controls could be placed within the gateway to limit our access to random telnets and what arguments could we use to convince management that connecting our subnet to the Milnet does not increase our exposure to random attacks. Stan Ames sra at MITRE-Bedford
JNC@MIT-XX.ARPA ("J. Noel Chiappa") (12/05/85)
Various potential users of C Gateways have requested similar capabilities, and we had set up a mailing list to discuss exactly what mechanisms would be useful. However, due to lack of time on my part nothing has happened there yet. I would caution that the TCP-IP mailing list is a little big to conduct a discussion on; unfortunately I don't know of a good substitute. I would suggest that you contact your gateway vendor and see if he has any plans, or is setting up a customer discussion group. If you built your own gateway, then you're out in the cold; as far as I know, nobody has built any fancy access control mechanisms into any gateways yet. I'm not sure I see any necessity for standardization here; creating standards takes energy, of which there is a limited amount, and there are more important things needing to be standardized. Noel -------
mike@BRL.ARPA (Mike Muuss) (12/06/85)
If any of your hosts have dialups, then they are not any worse off being gatewayed to the MILNET. In any case, you can't depend on the network to provide reasonable security -- responsibility for security rests firmly on the host machine. For Army machines, this policy is well articulated by AR 380-380. BRL's machines implement minimum 6 char passwords, logging of all login attempts, both good and bad, plus operator notification of EVERY bad login attempt, plus connection disconnect after 3 tries. We have found these measures to adequately protect our machines at BRL. -Mike