Great Circle Associates Firewalls
(March 1993)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: Appletalk through firewalls.
From: johng @ weema . chi . uwa . edu . au (John Gibbins)
Date: Thu, 4 Mar 93 8:49:57 WST
To: firewalls @ GreatCircle . COM
In-reply-to: <9303031422 . AA29352 @ weema . chi . uwa . edu . au>; from "Leland K. Neely" at Mar 3, 93 6:22 am

Leland K. Neely states:
> To me, it is not so much that you can or can not guarantee the source, but rather
> that there are other resources besides printers that can be accessed.  There is a
> growing number of remote management inits for macs that can be used to take
> control of a remote machine. The concept of proxy services is harder to
> do with appletalk.
> 
> Lets invent an ugly example:
> I have joe user who makes his disk available r/w to any guest user.
> (so he can share files easily)
> I mount his disk from my hostle location, and install a copy of Timbuktu
> (or whatever) and make sure that there is a copy of an IP program there.
> (IE Telnet, macX, ...)  
> I wait for a reboot to load my init.
> 
> Now - I grab ahold of the mac and fire up the ip client which works and displays
> on my machine. I then start hacking on remote IP based machines and the like.
> 
> Even easier--
> Hell, I could corrupt some init (such as one for viruses) that talks to tcpip 
> and then reports to a file that I could pick up every once in a while. 
> Then I replace it with some other that does something to causse a remote session
> back to me from my "real" target.
> 

If I could ensure that the guest user was disabled on all machines (this 
may not be feasible as I guess any staff/student could reenable it 
without me knowing, buts lets assume...) then would the same problems apply?
Would I just be making it slightly harder for the cracker?

If I could filter on appletalk network numbers and could trust the remote
network would that be safe?  ie could net numbers be faked?

> 
> OK - equal time-- you can make this better-
> 
> A way (no claims of performance or prettiness) to be somewhat secure--
> you create an appletalk DMZ.  This has a machine that has print queues for
> the remote printers on either side, (maint. required) and it would also use
> some sort of relay for file service mounts.  (IE mount with TOPS, exported with
> appleshare or something) 
> 
> IF you have other services that need to talk, then you have to put them here too
> (or a relay)  You have to look at this like a firewall.  You don't allow DIRECT
> access to your secure net.  Instead, you provide external access to that which
> you wish to share, and the rest is safe.  As always, the bastian hosts need to
> be watched.  I am also not sure I like the redistribution of volumes as this
> means that there is no prior review proceedure to prevent dangerous or sensitive
> files from being moved.
> 
> Please be carefull. I don't want to see you get burned.
> Good luck!
> Lee

Whatever I do, I think the chances of getting burned are very small given
that the network is limited to the state and I will limit it further
somehow.  I just want to make sure I do everything possible to ensure
that the chances are as minute as possible as even a slight singe could
be politically disasterous for us.
thanks
johng

-- 
John Gibbins                           The Western Australian Research Institute
The University of Western Australia      for Child Health Ltd     ,-_|\
email:  johng @
 chi .
 uwa .
 edu .
 au           GPO Box D184              /     \
Phone:  +61-9-3408547                  PERTH  W.A. 6001          *_,-._/
Fax:    +61-9-3883414                  AUSTRALIA                      v
"Nothing is foolproof as fools are so ingenious"


Indexed By Date Previous: Re: Appletalk through firewalls.
From: "Gordon C. Galligher" <gorpong @ il . us . swissbank . com>
Next: Re: archie and UDP
From: Amos Shapira <amoss @ cs . huji . ac . il>
Indexed By Thread Previous: Re: Appletalk through firewalls.
From: johng @ weema . chi . uwa . edu . au (John Gibbins)
Next: Re: WAIS: an overview
From: Brent Chapman <brent @ GreatCircle . COM>

Google
 
Search Internet Search www.greatcircle.com