turner@ksr.com (James M. Turner) (09/21/90)
We're starting to look at the problem of securing a potential Internet gateway. Basically, the problem can be stated as such: We want to be able to accept incoming mail and news, and make FTP requests and logins to the net. Other than that, we don't want ANY incoming or outgoing traffic allowed. In addition, we want to have verified and absolutely secure versions of the daemons to be the ones we run. We also want to be able to make FTP requests from any machine on the local net, but DO NOT want any packet from the outside to be able to pass the gateway machine. Has anyone attacked this problem to date, and if so, what recommendations can you make? Name: James M. Turner Company: Kendall Square Research Email: turner@ksr.com, ksr!turner Phone: (617) 895-9400
lars@spectrum.cmc.com (Lars Poulsen) (10/08/90)
In article <1990Sep20.203310.373@rice.edu> turner@ksr.com (James M. Turner) writes: >We're starting to look at the problem of securing a potential Internet >gateway. Basically, the problem can be stated as such: > >We want to be able to accept incoming mail and news, and make FTP requests >and logins to the net. Other than that, we don't want ANY incoming or >outgoing traffic allowed. In addition, we want to have verified and >absolutely secure versions of the daemons to be the ones we run. We also >want to be able to make FTP requests from any machine on the local net, >but DO NOT want any packet from the outside to be able to pass the gateway >machine. We do it in a two-step: (1) Our connection to the outside world is a non-programmable IP router with an ethernet plug on one side, and an X.25 connection to the local NSF-regional on the other side. This router is told to discard any packets with an ethernet IP address other than that of our "logical gateway" (see below). In our instance, the physical gateway is our own DRN-3200, but many ULANA compliant IP routers have such security filters. (2) The logical gateway is a Sun 3/50 which does not participate in Yellow pages, and does not import any filesystems. It does, however, export some file systems, such as /usr/news, RFC repositories, etc. (3) The logical gateway may be trusted by any other hosts on the site. The logical gateway may trust any other hosts it cares to. We believe this to be simpler and safer than putting network connections on the largest fileserver around, and then trying to secure it. Since security and convenience are obviously opposites, each site must make its own tradeoffs. / Lars Poulsen, SMTS Software Engineer CMC Rockwell lars@CMC.COM
nagle@well.sf.ca.us (John Nagle) (10/08/90)
turner@ksr.com (James M. Turner) writes: >We're starting to look at the problem of securing a potential Internet >gateway. Basically, the problem can be stated as such: >We want to be able to accept incoming mail and news, and make FTP requests >and logins to the net. Other than that, we don't want ANY incoming or >outgoing traffic allowed. In addition, we want to have verified and >absolutely secure versions of the daemons to be the ones we run. We also >want to be able to make FTP requests from any machine on the local net, >but DO NOT want any packet from the outside to be able to pass the gateway >machine. >Has anyone attacked this problem to date, and if so, what recommendations >can you make? Given your statement of the problem, the level of security you want to achieve will be very difficult to reach. NSA has spent millions on that problem. Check into the old ACAT/GUARD program at Logicon. It's possible to restrict the packets which open TCP connections, but under the set of restrictions you outline, the Morris worm still would have gotten through, just as it got through the ARPANET/MILNET gateways, which implement restrictions similar to the ones you outline. If you're willing to disallow all actual connections through the gateway, and just use it to forward mail and news, the problem becomes more tractible. Someone still might find a way a way to crack the gateway machine, though, since it's on the Internet. A more secure approach would involve two machines, one on the Internet and one on your internal net, interconnected by a dumb serial link used to send mail and news in a simple format with as little control information as possible. John Nagle