Firewalls: [no subject]

Firewalls
(September 1992)

Indexed By Thread: [Previous] [Next]

From:	uucp @ wattres . SJ . CA . US (UUCP administrator)
Date:	Fri, 25 Sep 92 11:25:19 GMT
To:	firewalls @ GreatCircle . COM

Newsgroups: firewalls
Path: wattres
From: uucp @
 wattres .
 SJ .
 CA .
 US (UUCP administrator)
Subject: Re: routing..
Reply-To: firewalls @
 GreatCircle .
 com
Organization: Steven Watt, Consultant   San Jose, CA, USA
Distribution: local
Date: Fri, 25 Sep 1992 11:25:05 GMT
Message-ID: <1992Sep25 .
 112505 .
 6444 @
 wattres .
 SJ .
 CA .
 US>
Sender: uucp @
 wattres .
 SJ .
 CA .
 US (UUCP administrator)

Newsgroups: firewalls
Path: wattres
From: Bob Stodola <stodola @
 relay .
 fccc .
 edu>
Subject: Re: routing..
Reply-To: firewalls @
 GreatCircle .
 com
Organization: Steven Watt, Consultant   San Jose, CA, USA
Distribution: local
Date: Fri, 25 Sep 1992 09:20:55 GMT
Message-ID: <1992Sep25 .
 092055 .
 1795 @
 wattres .
 SJ .
 CA .
 US>
Sender: uucp @
 wattres .
 SJ .
 CA .
 US (UUCP administrator)


>I was just playing with a brandy-new Sun that someone had had installed in a
>very vendor-default way by some OEM [complete with + in /etc/hosts.equiv],
>and realized that if I do NOT give it a default route, but only routes to some
>of our internal nets, that the outside world will essentially never know it's
>there.  I realized that I could probably do this on several other machines
>that normally never need to talk to the outside.  [And turn off routed, of
>course.]  Now, the question is, is there something I'm missing here such that
>this isn't enough?  I'm not addressing the concept of someone blind-barraging
>the machine with packets from the outside, of course...

I think this is only a viable strategy when you have complete control over all
systems in your network.  If you have a large, rambling network, you have
to assume that any weak, accessible, system on it will give an invader a more
"trusted" status to attack other machines on the net, eventually finding
their way to the machines which you have "secured" in this fashion.

I think an important purpose of a firewall to deny access to systems on my
net which are not well-managed, either through neglect or a low level of
technical expertise.  Even if I didn't care about protecting these systems,
it helps to control what I call the "friend of my brother-in-law's friend"
attack.

-------------------------------------------------------------------------------
Robert K. Stodola                            Phone: (215) 728-3660
Manager, Research Computing Services         FAX: (215) 728-2513
The Fox Chase Cancer Center                  internet: RK_Stodola @
 fccc .
 edu
7701 Burholme Avenue              +--------------------------------------------
Philadelphia, PA  19111           | "Don't ever try to teach a pig to sing:  it
USA                               |  wastes your time and it annoys the pig."
----------------------------------+--------------------------------------------

Indexed By Date	Previous:	[no subject] From: uucp @ wattres . SJ . CA . US (UUCP administrator)
Indexed By Date	Next:	Re: none + some VS all - some From: Amos Shapira <amoss @ cs . huji . ac . il>
Indexed By Thread	Previous:	[no subject] From: uucp @ wattres . SJ . CA . US (UUCP administrator)
Indexed By Thread	Next:	SUMMARY: internet addresses From: lindy @ olsen . ch (Lindy Foster)