Firewalls: Re: restricting Internet Access

Firewalls
(February 1994)

Indexed By Thread: [Previous] [Next]

Subject:	Re: restricting Internet Access
From:	Rens Troost <rens @ lorax . IMSI . COM>
Date:	Tue, 08 Feb 1994 10:51:25 -0500
To:	Rens . Schipper @ rivm . nl (Rens Schipper)
Cc:	firewalls @ greatcircle . com
In-reply-to:	Your message of "Tue, 08 Feb 1994 12:30:48 GMT." <9402081230 . AA00623 @ floyd>
Reply-to:	rens @ imsi . com

>>>>> On Tue, 8 Feb 94 12:30:48 GMT, Rens .
 Schipper @
 rivm .
 nl (Rens Schipper) said:

Wow, another Rens! Welcome.

  Schipper> Should you restrict users on the internal network to
  Schipper> communicate to the Internet?

I find it useful to put user-level access control at the firewall. I
have several 'problem' users who insist on downloading huge amounts of
software over our relatively slow T1 that are already mirrored
locally. They can be stopped this way. It also helps to block out
notorious MUDs, etc.

  Schipper> We've installed a firewall that works two ways. We
  Schipper> consider the internal network as save (or unsave) as the
  Schipper> Internet. So every connection that originates from within
  Schipper> the internal network has to go through our firewall as
  Schipper> well.

I'm confused by this; do you mean internal->internal connections go
through the firewall? Or do you mean you need to stop internal people
from cracking external machines?? I find that if you have to protect
yourself against internal users, the best recurse usually involves
security guards and not technical solutions.

  Schipper> This creates an extra checkpoint! If someone should
  Schipper> compromise a system on our internal network and want's to
  Schipper> hop to another network he'll be blocked and/or noticed by
  Schipper> our firewall.

But how do you distinguish between legitimate and illegitimate
outbound traffic? telnet is telnet.

  Schipper> What risks are to be considered when a PC on the internal
  Schipper> network can make unrestricted connections to the internet?

If you use an application relayer, like SOCKS, then your main problem
is accountability; typically the PC user can spoof any deired user.
Make sure you are not using ruserok authentication on the firewall. My
firewall only allows access to the machine via the console, which is
on a terminal server and thus acessible anywhere on the internal net.
There are safeguards...silent monitoring stuff.

-Rens Troost
--
  o===============================================================o
  | J. Laurens Troost - UNIX Systems  | At Work: rens @
 imsi .
 com    |
  | Investment Management Svcs, Inc.  | At Play: rens @
 century .
 com |
  | 12 East 49th Street,  35th floor  |   Phone: (212) 339-2823   |
  | New York, New York         10017  |     Fax: (212) 339-2854   |
  o===============================================================o
     -- IMS is unlikely to share any of the above opinions --

References:

restricting Internet Access
From: Rens . Schipper @ rivm . nl (Rens Schipper)

Indexed By Date	Previous:	Re: Two security issues From: bdboyle @ maverick1 . erenj . com (Bryan D. Boyle)
Indexed By Date	Next:	Re: Two security issues From: "Robert G. Moskowitz" <0003858921 @ mcimail . com>
Indexed By Thread	Previous:	restricting Internet Access From: Rens . Schipper @ rivm . nl (Rens Schipper)
Indexed By Thread	Next:	Re: restricting Internet Access From: hp90101 @ internet . sbi . com (Harry Protoolis)