| Date: Wed, 25 Nov 92 17:42:00 PST
| From: shawni @
tis .
llnl .
gov (Shawn Instenes)
|
| In comp.protocols.tcp-ip you write:
|
| > Well, I've received several replies regarding my unhappiness with
| > network firewalls. They fall into the following categories:
| >
| > 1. I'd rather protect one machine than the ten-thousand behind it.
| >
| > 2. So what are the [lauded] services are you missing?
| >
| > 3. Don't worry. Firewalls aren't as bad in general as the one you're
| > living behind.
| >
| > The third item answers the second to some extent. The firewall I have
| > to deal with only supports outgoing telnet and ftp sessions via a set of
| > utilities apparently fronted by Sun: itelnet and iftp. These work by
| > routing their outgoing connections through proxy servers on a machine
| > which is allowed to access the outside world and is also exposed to it.
|
| I assume you're referring to s1.gov... it's getting a little better there.
| Please understand that I don't run the systems there, but I work for
| DCSP. I used to work at O-div for a couple of months.
Yes, I'm talking about S1.GOV.
| There is PH passthru now (I wrote it) and a Gopher passthru is in the
| works, I think. They've been working on passthru X forever it seems (I
| don't know if it can be done, considering their security requirements).
| I missed a good deal of this thread... what other services DO you want?
So I get those services if I'm running on a Sun. What if I'm on a
Macintosh? What about an RS/6000? How about an HP? Etc.
Not only are the passthrough clients not available on any of the
platforms I mentioned, but even if they were, getting them installed on
everything in the universe and maintaining all that local software would
be a bitch and three halves. But trying to secure those same N machines
would be worse.
I really think that a transparent packet filter would be a better
approach. But I have to admit that I've just joined the firewalls
mailing list and I'm only now coming up to speed on what technologies
exist for firewall protection.
But even a packet filter wouldn't address some of the very real needs
for services that the outside world needs from S1.GOV. In particluar,
there's no finger or whois service offered by S1.GOV, so it's impossible
to find out email addresses or get current information on users. Finger
is especially nice that way because many users leave personal calendars
in their .plan files. (And yes, I know the reigning paranoia about how
bad finger is because it lets outsiders know login IDs in use. It's very
simple to modify the finger daemon not to respond to an empty query.)
| > The only incoming connection arrangement is via a separate machine which
| > only allows telnet connections.
|
| The reason behind this is 1). Since I believe they'd lose their Internet
| access if they were broken into, they must keep security a high priority,
| but security consumes the resources of the administration staff, which
| isn't much to begin with. I myself maintain tight security on my machine
| which is out on Labnet, but it takes up a measurable fraction of my time
| every day. Multiply that by dozens of workstations. If an intruder
| breaks root on a machine, it's just too easy for him to use software to
| sniff out plaintext passwords going by on ethernet... so each workstation
| is the weakest link in the chain.
So? Things happen. If you insist on living in a perfect world, you'd
better just turn the computers off. The fact of the matter is that there
is no such thing as perfect security. Only better and better and at
exponentially increasing costs -- both in terms of administration and
user costs. You have to decide how much security you need and want, and
how much you're willing to pay.
But I know you know all of that already. (Seriously, I'm not being
snide.) From my point of view, as a user, the firewall at S1.GOV is just
too expensive. I'm constantly aware of it and constantly having to fight
it. Now, to some extent, that may be because I spend so much of my time
dealing with the outside world. Other users who just work on local
machines and interact with the outside world via email probably don't
notice anything and feel at ease knowing that their machines are ``safe''
from breakins.
| > Mail is MX'ed up the wazoo.
|
| This is bad? I'd think this is more a convenience issue than a firewall
| issue ... For example, TIS uses MX's and hidden hosts so that all
| incoming mail is forwarded to the correct machine for each user. We have
| a lot less problems with "follow the bouncing .forwards" than most.
Actually, it turns out that mail isn't MX'ed at all as far as I can
see. I just got a bounced mail message when I tried to send a message to
david @
guardian .
s1 .
gov .
The name servers advertise the IP addresses of
the machines under S1.GOV, but don't advertise any MX records for them.
Very strange. Exactly the opposite from what you'd see at other sites
that have errected firewalls.
As for ``following the bouncing forwards,'' how do MX records solve
that problem (not that I ever found it to be much of a problem when I was
running a bunch of machines)? All you've don't is make it so that you
now have to be involved in every single mail home change that users go
through because they now have to ask you to change your central
forwarding database. (Unless of course you've duplicated the stuff they
have for LLNL.GOV that let's users change their own information.)
| > I maintain my home on GAUSS.LLNL.GOV and do all my outside communication
| > from here because I can avoid the firewall and it's hassles.)
|
| I have my home out on labnet, too. I prefer investing the time to secure
| it rather than utilize the firewall because I like to tinker; I'm
| currently running network protocol experiments for DCSP on my workstation.
This is also going to be a problem for me. I'm planning on getting
involved with InterNet experiments with multicast protocols and I'm going
to need transparent access -- both in and out -- via multicast to the
outside world. I've put a bug in Lee and Tina's ears about this, but
haven't followed it up yet. I have a lot of reading to do before I can
get started on the project.
| > One of my biggest gripes is that we only have itelnet and iftp clients
| > for Suns. This leads to seemingly endless multi-hop store and forward
| > ftp acts guaranteed to try your patience.
|
| I agree trying to move something in or out without sitting at a machine
| inside is trying, at best. Sometimes it's painful. The goal was to
| severely reduce the chances of intrusion while still providing necessary
| network services. If you can think of a better method then by all means
| share it; I'll pass it on.
|
| My opinion is that as long as remote login protocols rely on such wimpy
| authentication mechanisms, firewalling will become more popular.
| Kerberos doesn't scale well enough to use on an Internet-wide or even
| Lab-wide level yet, but perhaps soon.
Well I wish we [the InterNet community] would get on with finding
solutions so we can get back to doing work instead of spending all our
time putting up barriers that get in the way of doing work. But I'm just
a bitter old hacker who remembers ``The Good Old Days'' when the range
wasn't fenced in by sheep ranchers.
Casey
|
|
