On Thu, 5 Jan 1995 firewalls-digest-owner @
GreatCircle .
COM wrote:
>
> Firewalls-Digest Thursday, 5 January 1995 Volume 04 : Number 011
...
> ------------------------------
>
> From: Steve Marquess <steve @
tdg .
rsca .
com>
> Date: Thu, 5 Jan 1995 14:58:35 -0500
> Subject: Re: FW: PC Take-Over -- reply
>
> >Wulf Losee says:
> >
> >Correct me if I'm wrong (please!), but since DOS and regular Windows (both
> >Windows 3.x and and Windows for Warehouses) are not multitasking,
> >multithreading operating systems it would be impossible to subvert these
> >systems unless the cracker were dialing in through a modem or actually
> >sitting at the PC's console.
> >
>
> Probably true in general, but I have a PC here running DOS and a TSR from a
> widely used protocol stack (Novell's LWPD, the tsr is XPC.EXE) that I can
> telnet into and execute DOS commands -- including, in principle, commands to
> access LAN file servers or the mainframes that are not reachable via IP. This
> PC is allows my Unix hosts to execute DOS commands and fetch data from the LANs
> from cron scripts run in the middle of the night.
Let's restrict the question further. Suppose, instead of a full-fledged
TCP/IP stack, the situation is as follows:
A user has a PC that is connected to a local network. Perhaps with IPX
or TCP/IP. The user occasionally connects to a local Internet provider
using a dial-up PPP that comes with their Internet browser package (e.g.
Internet in a Box).
My question is, am I safe in assuming that the economy version of PPP
(TCP/IP) that comes with the browser is incapable of routing packets to
the local network. I'm pretty sure that would be the case if the local
network were IPX, I *think* this would be the case even if the local
network were PPP. I'm basing my trust on the *assumption* that a low
cost Internet browser package isn't going to be smart enough
(particularly on on single tasking DOS/Windows box) to route packets
(even if source routing is used).
Am I deluded? This is starting to become a common question. I've
fielded it 3 or 4 times in the last few weeks.
Many people would like to use this strategy as a poor man's firewall.
I.e. they have a local network that they don't want connected to the
Internet, but a few of the users want access to Internet services. It is
hard to justify the cost of a full-blown firewall in this case. Using a
dial-out PPP Internet browser (to an ISP) on the DOS/Windows boxes
*seems* like a reasonably safe but fairly functional compromise.
Follow-Ups:
|
|
