Great Circle Associates Firewalls
(October 1992)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: liabilities of ports >1023
From: Brent Chapman <brent @ GreatCircle . COM>
Date: Thu, 29 Oct 92 09:11:53 -0800
To: Firewalls @ GreatCircle . COM
In-reply-to: Your message of Thu, 29 Oct 92 7:43:30 PST

Leland K. Neely <lkn @
 s1 .
 gov> writes:

# I heard a story this week.  It seemed that one site setup filters to
# permit port>1023 access, excepting X and openwin, and thought they were ok.
# One user decided that he "REALLY" had to have access so he reset telnet
# (or rlogin, I am not sure) to listen to a port equal to his phone
# extention. (eg 4532.)  This worked so well, that his buddies all had him do
# the same for them.  Now, each machine listened on a different port...

I firmly believe that ANY security mechanism can be compromised with
insider help.  The problem described above is a people problem, not a
technical problem.  You can't do effective security as an "add-on" at
the border of your site; it requires the explicit or implicit
cooperation (or at least the lack of active opposition) of the folks
you're nominally trying to protect.  If you don't have that, it's
hopeless.


-Brent
--
Brent Chapman                                   Great Circle Associates
Brent @
 GreatCircle .
 COM                           1057 West Dana Street
+1 415 962 0841                                 Mountain View, CA  94041



Follow-Ups:
Indexed By Date Previous: Re: icmp considered dangerous ?
From: Brent Chapman <brent @ GreatCircle . COM>
Next: Re: liabilities of ports >1023
From: mjr @ decuac . DEC . COM (Marcus J. "Will do TCP/IP for clues" Ranum)
Indexed By Thread Previous: Re: liabilities of ports >1023
From: Leland K. Neely <lkn @ s1 . gov>
Next: Re: liabilities of ports >1023
From: Dan Geer <geer @ world . std . com>

Google
 
Search Internet Search www.greatcircle.com