blknowle@FRODO.JDSSC.DCA.MIL (Brad L. Knowles) (04/26/91)
Folks, Keith McNeill (<mcneill@udel.edu>), says (in <9104251025.aa08966@louie.udel.edu>): KM> We are setting up an internet gateway at work. Currently, we're going KM> to set it up as a firewall system. And later asks for help setting up a proxy-ftp and proxy-telnet system. My first question is: Why a firewall system? Is it because David Curry in "Improving the Security of Your Unix System" recommends it? Mitch Wright, System Administrator for a large network of machines owned by 7th Communications Group of the United States Air Force (here in the Pentagon), administrator for the Sun-386i mailing list, and in general, a knowledgeable kind of guy about Unix says that a firewall system is not necessary if you set up the security on all of your systems to be as good as that of your proposed firewall system. Additionally, Mitch says that if you are dependant upon your firewall system to protect you from system crackers, and they crack into your firewall system (based upon the presumption that no useful system is 100% cracker-proof), then you are left wide open to any attacks they may make. In fact, you may be even more vulnerable because the security on your other system might be even more lax than it would be otherwise, because you were lulled into a false sense of security because of your firewall system. It was Mitch's arguments that convinced me that David Curry was wrong, perhaps even dangerously so. The short of it is, with good security practices on all of your machines, nothing like what happened to Clifford Stoll (written about in "The Cuckoo's Egg") is likely to happen to you. No matter what machine they crack into, it is just as tough for them to crack into any of your other machines as it was for them to crack into the first. Yes, it does require additional work on your part, but with good perl and rdist scripts, combined with cron jobs, you should be able to reduce this workload significantly. Additionally, you really do get a lot more security, not just the illusion of more security. If you want to talk to Mitch directly on this subject, so that he can get into a more detailed discussion of the subject, his e-mail address is "mitch@hq.af.mil". My second question is: Do you really know what you would be letting yourself into by trying to set up a proxy-ftp and proxy-telnet system? Two vendors that I am aware of have done this in the past (although they may or may not currently have this kind of set up), Sun Microsystems and Digital Equipment Corporation. Both had to write their own custom proxy-ftp and proxy-telnet software, which they appear to have kept proprietary. I understand that there is some work going on in an IETF about standardizing on this kind of thing, but I don't know how far along they are. Jon Postel might be able to update you, but I would guess that he has so many RFC's that he is editing that he doesn't really have the time to stay up-to-date on this stuff. Mike (mo@messy.bellcore.com), later says (in <9104251505.AA04390@bellcore.bellcore.com>): MO> Another alternative is to install (for example) a Cisco gateway that MO> allows incoming packets for telnet, ftp, etc to go to ONLY the gateway MO> machine, but allows outgoing packets to the same ports from any machine MO> to proceed unimpeded. Wow! I didn't know that gateways like the cisco were capable of this kind of thing. Could you elaborate a little more as to how you set up your gateway to do this? Please respond via e-mail. I will summarize and re-post, if appropriate. ________________________________________________________________________ | Brad Knowles | Internet: blknowle@frodo.jdssc.dca.mil | | System Administrator | or: blknowle@wis-cms.dca.mil | | DCA/JDSSC/JNSL | Ph: (703) 693-5849 Fax: (703) 693-7329 | | The Pentagon, Room BE685 |_________________________________________| | Washington, D.C. 20301-7010 | my opinions != DCA's opinions or policy | |______________________________|_________________________________________|
mo@MESSY.BELLCORE.COM (04/26/91)
See the Cisco documentation "Packet Filtering" I was quite impressed myself when I heard about it. -Mike
lear@turbo.bio.net (Eliot) (04/30/91)
Host security is nice, and should be practiced. Try implementing it on 20,000 Macs. -- Eliot Lear [lear@turbo.bio.net]
G.Eustace@massey.ac.nz (Glen Eustace) (04/30/91)
Our solution to the host security situation would involve 2 major components. 1 Our intended firewall machine, and 2 our Cisco router. The Cisco can be setup to only allow certain kinds of IP connections to and/or from hosts that match specific conditions. Our intention had been to provide all of our other hosts with a version of telnet and ftp etc. that connected internally to the firewall machine and then had it connect to the outside world via the cisco. As has already been posted, the problem is the software. We need a client front end for the various utilities, telnet, ftp etc. and a server that could run on the firewall machine. e.g. Client ------------> Firewall Host -------> Cisco -----> Internet The Cisco would be setup to only allow outgoing telnet and ftp from the Firewall Host. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Glen Eustace, Systems Software Manager | EMail: G.Eustace@massey.ac.nz Computer Centre, Massey University, Palmerston North, New Zealand Phone: +64 63 69099 x7440, Fax: +64 63 505 607, Timezone: GMT-12
tom@magnus.acs.ohio-state.edu (Tom Easterday) (04/30/91)
In article <1991Apr29.205508.23094@massey.ac.nz> G.Eustace@massey.ac.nz (Glen Eustace) writes: >...stuff deleted... >Our intention had been to provide all of our other hosts with a >version of telnet and ftp etc. that connected internally to the >firewall machine and then had it connect to the outside world via the >cisco. As has already been posted, the problem is the software. We >need a client front end for the various utilities, telnet, ftp etc. >and a server that could run on the firewall machine. > AT&T uses such a system to connect their corporate net to the internet. They have a machine that runs a proxy telnet, ftp and also does mail. They have not released the code that I know of, but then I have never asked. It works reasonably well from what I have seen. I am working on some network statistics stuff with AT&T folks in NJ and they pick up data every day from a machine on the local campus here through the firewall machine. I don't know if they have ported the proxy client to every type of machine internal to AT&T (like Mac's for instance) but I have seen it work from Suns. You could try the following contact: @whois att.com AT&T Bell Laboratories (ATT-DOM) 6200 East Broad Street Columbus, OH 43213 Domain Name: ATT.COM Technical Contact, Zone Contact: Judge, Joseph (JTJ11) Joseph.T.Judge@ATT.COM (614) 860-7119