Thanks to Marcus Ranum for clarifying some details about DECs' proxy
FTP. I didn't ask my previous question very well, so I thought I would try
again! Knowing DECs' position, I am curious about how others feel.
One valuable thing about DEC's proxy services is the authentication of
outside users... without that, it doesn't make sense to use proxy services
for incoming users. My question was meant to discover the gotchas
(define the risks so I can weigh them against the costs) related to allowing
internal nodes use of telnet and ftp without going through a proxy service.
In other words, how bad is it to allow all incoming packets destined for
ports greater than 1023? (...so the ftp data channel will work.) That
is the bottom line when you look at the pros and cons of proxy services.
Firewalls using proxy services can filter *everything* except what is
specifically desired. Those that don't use proxy services must allow
all incoming packets destined for ports greater than 1023 (except 6000 and,
using Brent's advice, all UDP except DNS).
Doesn't this vastly increase the risk of compromise?
What kind of mean, nasty things can intruders do if you let them probe
your network using all those TCP ports?
What kind of things can internal users do (inadvertantly or intentionally)
to expose a network that allows incoming TCP packets destined for ports >1023?
Can an intruder get in without inside help (either inadvertant or intentional)?
I hope I have expressed my question better this time!
- Mac Allen jma21624 @