robjohn@OCDIS01.AF.MIL (Robert Johnson (CDC Contractor);CDC;) (05/24/90)
It seems to me that the real question of dial-up access for the Internet
stems from folks who travel and need to "phone home". The most obvious
solution is to have a dial-up modem on their "home" system and stay off
the Internet altogether. That way, their home system does all the user
verification and auditing.
But that's not how the real world works - right? I get a the willies about
letting anyone dial up and get on the Internet without authentication and
audit trail. That would seem to invite abuse. The open-door "guest" account
is an invitation to disaster (or hassle, if the FBI asks why your system
allowed the bad guy access to the Internet). Unfortunately, all sites seem
to have their share of traveling dignitaries who need to check their email
in some other corner of the world.
To handle these, we set up a "guest" account which is password protected.
When a user logs into this account, they see a list of systems that they
can connect to. When a travelling dignitary comes on base, our customer
support folks offer the courtesy of using the guest account, and provide
him with the current password (they also make sure the right "home system"
is currently on the menu). After he leaves, they change the password on
the account. No logins to this guest account are allowed over modem or
>from the Internet. The user must be "on base" to use the account. Not
only are we controlling guest access, but visitors are impressed by our
"thoughtfulness" in providing them with this "phone home" capability,
without them having to ask for it.
Bob Johnson
Tinker AFBalmes@RICE.EDU (Guy Almes) (05/25/90)
robjohn@ocdis01.af.mil (Robert Johnson (CDC Contractor);CDC;) writes:<< But that's not how the real world works - right? I get a the willies about letting anyone dial up and get on the Internet without authentication and audit trail. That would seem to invite abuse. The open-door "guest" account is an invitation to disaster (or hassle, if the FBI asks why your system allowed the bad guy access to the Internet). Unfortunately, all sites seem to have their share of traveling dignitaries who need to check their email in some other corner of the world. >> Bob makes a good point which I'd like to strengthen. The Federation of American Research Networks (FARnet) has gone on record as urging its mid-level networks and the campuses they serve to dis-allow any unauthenticated access to the Internet. Specifically, terminal servers that require no authentication and then allow the caller full access to the Internet must be reconfigured to either require authentication or to provide access only to a set of hosts on campus that *do* require authentication. I also like his later example of how to be both courteous and careful:<< To handle these, we set up a "guest" account which is password protected. When a user logs into this account, they see a list of systems that they can connect to. When a travelling dignitary comes on base, our customer support folks offer the courtesy of using the guest account, and provide him with the current password (they also make sure the right "home system" is currently on the menu). After he leaves, they change the password on the account. No logins to this guest account are allowed over modem or >from the Internet. The user must be "on base" to use the account. Not only are we controlling guest access, but visitors are impressed by our "thoughtfulness" in providing them with this "phone home" capability, without them having to ask for it. Bob Johnson Tinker AFB >> This is one example, among many possibilities, of how to be responsible. -- Guy Almes