Firewalls: Re: restricting Internet Access

Firewalls
(February 1994)

Indexed By Thread: [Previous] [Next]

Subject:	Re: restricting Internet Access
From:	hp90101 @ internet . sbi . com (Harry Protoolis)
Date:	Tue, 8 Feb 94 13:00:45 GMT
To:	Rens . Schipper @ rivm . nl
Cc:	firewalls @ greatcircle . com

Rens,

We restrict all connections to the internet via our firewall. I think that
unless you control outgoing connections you do create a significant security
hole.

As an example one of the ways in which the recent sendmail hole was exploited
was by planting a program on your mailhost that would attempt to open
a connection to a remote, unfriendly, host. This would allow an attacker
onto your system from outside and the connection would appear to have
been initiated *from the inside*. This would have beaten many 'packet
filtering' based firewall schemes.

There is always a tradeoff to be made between ease of use and security, a
great deal depends on what you are trying to achieve.

Cheers,
Harry Protoolis		"Sons of the South, make a choice between ...
harry @
 london .
 sbil .
 co .
 uk	The land that belongs to the lord and the Queen
			And the land that belongs to you." - Henry Lawson
			(with apologies for the sexist language)

Indexed By Date	Previous:	restricting Internet Access From: Rens . Schipper @ rivm . nl (Rens Schipper)
Indexed By Date	Next:	Re: Two security issues From: bdboyle @ maverick1 . erenj . com (Bryan D. Boyle)
Indexed By Thread	Previous:	Re: restricting Internet Access From: Rens Troost <rens @ lorax . IMSI . COM>
Indexed By Thread	Next:	restricting Internet Access From: richard @ wizard . ucs . sfu . ca (Richard Chycoski)