CALIFFM@BAYLOR.BITNET (Michael Califf) (12/21/89)
Barry - We (Baylor University) have been wrestling with this same problem. We are currently solving it by piping all of our modem-to-network connections through our data PBX. The PBX allows us to restrict connections from dial-in modems by enforcing a username/password/access list check on an attached machine as part of the logon. The network-to- modem connections are also piped through the PBX. We use the terminal server's security software to restrict the IP addresses allowed to make a connection into the server (we have to worry about people making long-distance calls as well, to make sure auth-codes don't get "borrowed".) Mike Califf (POSTMAST[ER]) Communications Software Coord Internet: CALIFFM@BAYLOR.EDU Baylor University C.C.I.S. Bitnet: CALIFFM@BAYLOR B.U. Box 7268 THEnet: BAYLOR::CALIFFM Waco, TX 76798-7268 Phone: (817) 755-2711
brian@ucsd.Edu (Brian Kantor) (12/22/89)
What we did here at UCSD to solve the problem of unauthorized network access from our dial-up Annex boxes is to hack up the nice Annex security code. Now if you dial up one of our boxes, you can telnet (or rlogin) to machines on a list of networks (our three class-B nets and the UC systemwide library catalog Class-A network) without user verification, but if you want to connect anywhere else, we'll demand of you for a userid and a password, which are checked against a database. Thus students, staff, and faculty have no impediments in getting to the various machines on our network and I don't have to be responsible for maintaining access userids and passwords for some 20,000 people! Those few people who need off-campus access can get it by registering with us, and when someone abuses the access, I can turn it off. Perhaps not the best solution, but quite workable in our view. Brian Kantor UCSD Network Operations UCSD C-024, La Jolla, CA 92093-0124 USA brian@ucsd.edu ucsd!brian BRIAN@UCSD