General questions from a firewall neophyte

[jak @ mentat . com (Jim Krupp)]

I am new to this topic area and have been following pointers every which
way trying to get both knowledge and a feel for what's going on.  From
a novice's perspective, I offer the following observations/questions
and welcome any comments.

1.  It is difficult for me to separate "UNIX problems" from "Security
problems".  For example, are VMS sites running DECnet as concerned
with the same issues?  It's been years since I have been around DEC
OS's, but last time I was involved, it seemed to me like UNIX folks were
always worrying about things (like file system integrity) that VMS 
people took for granted.  I would be very interested in learning what
non-UNIX, non-TCP/IP people think about all this.  Any pointers?

2.  Little seems to be said about secure NFS or RPC in firewall
discussions.  Am I perhaps missing something?  We have employees
with machines at home who would like to NFS mount file systems across
the Internet.  I gather that some sites actually permit this on
isolated machines, but product literature and papers I've read don't
seem to talk about this much.  I know that "secure NFS" has its
own discussion group, but it seems like firewalls shouldn't completely
ignore the topic.

3.  As a practical matter, if one ignores bugs in things like sendmail
(yeah, I know, this isn't realistic--so think of this as a theoretical
question), and if only inbound news and mail are allowed onto the local
net from the outside world, and then only to a single machine which
forwards as needed, are there really any viable methods to get
through a router which is discarding all other IP packets?  If outbound
telnet/ftp are then added, with additional checks for the reverse ftp
data connection, are things any more compromised?  Then what about
X-servers which can only be started from in-house (e.g., running xterm
on a local secure machine and "throwing a window" onto a host across
the Internet).  What I am trying to understand, and what I am not being
able to discern from my reading, is to what degree security problems
result from trying to be more "open" than is prudent, and to what degree
there are real, intrinsic problems which must be guarded against.

Looking forward to reading your replies...

------------------------------------------------------------------------
Jim Krupp				Mentat Inc.
jak @
 mentat .
 com				1145 Gayley Ave, Suite 315
voice:	(310)208-2650, ext 23		Los Angeles, CA 90024
fax:	(310)208-3724			USA
------------------------------------------------------------------------