DAMIAN@SRLVX0.SRL.FORD.COM ("Jerry Damian") (03/25/91)
Netlanders, Is there a way to prevent a selected user(s) from TELNETing to other hosts once s/he has TELNETed in? I would like to be able limit TCP/IP services in general to particular users depending upon the subnet from where they came. Things like secure inetd work with incoming connections, but is there anything I canuse to limit outgoing connections based on where the call originated? Thanks in advance, Jerry Damian Ford Motor Co. damian@srlvx0.srl.ford.com
DAMIAN@srlvx0.srl.ford.com ("Jerry Damian") (03/26/91)
Netlanders, The problem of "springboarding" I posted to this mail group on 3/25/91 can better be described with the following figure: ----- ----- 56kb link | WSB | | RTB |------- | | | | / ----- ----- ----- -------| RTA | | | | | | | ----- | | | isolated | subnet | remote | subnet ------------------------- ------------------ | | | | ----- ----- | RTC | | WSA | | | | | ----- ----- | local | subnet ------------------ | | ----- ----- | WSC | | WSD | | | | | ----- ----- where: WS[A-D] = workstations RT[A-C] = routers with filters Problem: WSA is a workstation on a remote subnet. A user on WSA needs to TELNET to WSC on the local subnet in order to use resources there. However, once that user has connected to WSC what (if anything) can be used to prevent s/he from using WSC as a "springboard" to attempt to break into machines on the local subnet i.e. WSD? At the same time a user from WSC must still be able to connect to WSD. I need a way to restrict TCP/IP services on WSC based on whether the call originated from the remote subnet. Note: Any user on WSA wanting to connect to WSC must first TELNET to WSB as a first line of defense. This can be accomplished via filters(IP address and port number) on RTB and RTC. Also, once the user from WSA has gotten past WSB and RTC and is connected to WSC his/her packets cannot be distinguished from a local user on WSC wanting to use resources on WSD. What are my options? Simply isolating WSC on its own subnet won't help. Is some kind of a kernel modification required? If so, what? Thanks in advance, Jerry Damian Ford Motor Company damian@srlvx0.srl.ford.com