blknowle@FRODO.JDSSC.DCA.MIL (Brad L. Knowles) (04/26/91)
Folks,
Keith McNeill (<mcneill@udel.edu>), says
(in <9104251025.aa08966@louie.udel.edu>):
KM> We are setting up an internet gateway at work. Currently, we're going
KM> to set it up as a firewall system.
And later asks for help setting up a proxy-ftp and proxy-telnet system.
My first question is: Why a firewall system? Is it because David
Curry in "Improving the Security of Your Unix System" recommends it?
Mitch Wright, System Administrator for a large network of machines
owned by 7th Communications Group of the United States Air Force (here in
the Pentagon), administrator for the Sun-386i mailing list, and in
general, a knowledgeable kind of guy about Unix says that a firewall
system is not necessary if you set up the security on all of your systems
to be as good as that of your proposed firewall system. Additionally,
Mitch says that if you are dependant upon your firewall system to protect
you from system crackers, and they crack into your firewall system (based
upon the presumption that no useful system is 100% cracker-proof), then
you are left wide open to any attacks they may make. In fact, you may be
even more vulnerable because the security on your other system might be
even more lax than it would be otherwise, because you were lulled into a
false sense of security because of your firewall system. It was Mitch's
arguments that convinced me that David Curry was wrong, perhaps even
dangerously so.
The short of it is, with good security practices on all of your
machines, nothing like what happened to Clifford Stoll (written about in
"The Cuckoo's Egg") is likely to happen to you. No matter what machine
they crack into, it is just as tough for them to crack into any of your
other machines as it was for them to crack into the first. Yes, it does
require additional work on your part, but with good perl and rdist
scripts, combined with cron jobs, you should be able to reduce this
workload significantly. Additionally, you really do get a lot more
security, not just the illusion of more security.
If you want to talk to Mitch directly on this subject, so that he can
get into a more detailed discussion of the subject, his e-mail address is
"mitch@hq.af.mil".
My second question is: Do you really know what you would be letting
yourself into by trying to set up a proxy-ftp and proxy-telnet system?
Two vendors that I am aware of have done this in the past (although they
may or may not currently have this kind of set up), Sun Microsystems and
Digital Equipment Corporation. Both had to write their own custom
proxy-ftp and proxy-telnet software, which they appear to have kept
proprietary. I understand that there is some work going on in an IETF
about standardizing on this kind of thing, but I don't know how far along
they are. Jon Postel might be able to update you, but I would guess that
he has so many RFC's that he is editing that he doesn't really have the
time to stay up-to-date on this stuff.
Mike (mo@messy.bellcore.com), later says (in
<9104251505.AA04390@bellcore.bellcore.com>):
MO> Another alternative is to install (for example) a Cisco gateway that
MO> allows incoming packets for telnet, ftp, etc to go to ONLY the gateway
MO> machine, but allows outgoing packets to the same ports from any machine
MO> to proceed unimpeded.
Wow! I didn't know that gateways like the cisco were capable of this kind
of thing. Could you elaborate a little more as to how you set up your
gateway to do this?
Please respond via e-mail. I will summarize and re-post, if appropriate.
________________________________________________________________________
| Brad Knowles | Internet: blknowle@frodo.jdssc.dca.mil |
| System Administrator | or: blknowle@wis-cms.dca.mil |
| DCA/JDSSC/JNSL | Ph: (703) 693-5849 Fax: (703) 693-7329 |
| The Pentagon, Room BE685 |_________________________________________|
| Washington, D.C. 20301-7010 | my opinions != DCA's opinions or policy |
|______________________________|_________________________________________|mo@MESSY.BELLCORE.COM (04/26/91)
See the Cisco documentation "Packet Filtering" I was quite impressed myself when I heard about it. -Mike
lear@turbo.bio.net (Eliot) (04/30/91)
Host security is nice, and should be practiced. Try implementing it on 20,000 Macs. -- Eliot Lear [lear@turbo.bio.net]
G.Eustace@massey.ac.nz (Glen Eustace) (04/30/91)
Our solution to the host security situation would involve 2 major
components. 1 Our intended firewall machine, and 2 our Cisco router.
The Cisco can be setup to only allow certain kinds of IP connections
to and/or from hosts that match specific conditions.
Our intention had been to provide all of our other hosts with a
version of telnet and ftp etc. that connected internally to the
firewall machine and then had it connect to the outside world via the
cisco. As has already been posted, the problem is the software. We
need a client front end for the various utilities, telnet, ftp etc.
and a server that could run on the firewall machine.
e.g.
Client ------------> Firewall Host -------> Cisco -----> Internet
The Cisco would be setup to only allow outgoing telnet and ftp from
the Firewall Host.
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Glen Eustace, Systems Software Manager | EMail: G.Eustace@massey.ac.nz
Computer Centre, Massey University, Palmerston North, New Zealand
Phone: +64 63 69099 x7440, Fax: +64 63 505 607, Timezone: GMT-12tom@magnus.acs.ohio-state.edu (Tom Easterday) (04/30/91)
In article <1991Apr29.205508.23094@massey.ac.nz> G.Eustace@massey.ac.nz (Glen Eustace) writes: >...stuff deleted... >Our intention had been to provide all of our other hosts with a >version of telnet and ftp etc. that connected internally to the >firewall machine and then had it connect to the outside world via the >cisco. As has already been posted, the problem is the software. We >need a client front end for the various utilities, telnet, ftp etc. >and a server that could run on the firewall machine. > AT&T uses such a system to connect their corporate net to the internet. They have a machine that runs a proxy telnet, ftp and also does mail. They have not released the code that I know of, but then I have never asked. It works reasonably well from what I have seen. I am working on some network statistics stuff with AT&T folks in NJ and they pick up data every day from a machine on the local campus here through the firewall machine. I don't know if they have ported the proxy client to every type of machine internal to AT&T (like Mac's for instance) but I have seen it work from Suns. You could try the following contact: @whois att.com AT&T Bell Laboratories (ATT-DOM) 6200 East Broad Street Columbus, OH 43213 Domain Name: ATT.COM Technical Contact, Zone Contact: Judge, Joseph (JTJ11) Joseph.T.Judge@ATT.COM (614) 860-7119