> From: Doug Hughes <Doug .
Hughes @
Eng .
Auburn .
EDU>
> Date: Wed, 31 Jan 1996 08:29:39 -0600
> Cc: firewalls @
greatcircle .
com
>
> I think you are confusing our firewall with our external router. As this
> wasn't made clear in the original post, that is a natural mistake. My point
> was that the University as a whole has an external router that has a block
> as opposed to allow strategy by necessity. There are several protocols that
> we can all agree deserve blocking (RPC, NFS, rexec, etc). However, making
> an allow list would be huge and unwieldy (while blocking all else).
> Our firewall is actually part of the engineering network and does serve
> to protect us from other depts outside of engineering in a limited fashion.
> I wouldn't call it a real firewall as it uses tcp_wrappers, some scanner
> detection, and other IDS type tools, but it serves its purpose admirably.
Good, so you already have one or more internal firewalls. That was
actually the point I was making, that a firewall protecting a
University network from the Internet is silly most of the time.
But the point being made in the thread by others is that RPC, etc. are
not really securable.
And then my other implicit point was that the University network at
large is not protected very strongly. This is actually very common in
Universities and is not necessarily wrong in itself. Only that
everyone must be aware of this and no unwarranted expectations should
be raised by anyone. You cannot be very open (like your departments
require) and very protected at the same time.
> The ruleset on the external router is quite small, unfortunately, and
> necessitates a block vs. allow strategy.
That, as you probably know, requires you to know what is dangerous and
we don't really know that. At most, we think we know what things don't
seem to be dangerous. And some people in the list will immediately
point out that I am being too optimistic :-)
> The actual firewall machines are under our direct control and are
> self-consistent and wholly configured by us.
> We do not rely upon the external router to be a panacea, but just to do the
> little things that an External router can be good at:
> 1) preventing external TCP/IP spoofing attacks
Good, but in an open environment as yours it is probably very easy to
get to some internal machine maybe even through approved means
(accounts for research partners, student accounts whose passwords
circulate around, etc.) and as soon as they've got a stronghold
inside, the router (or a more restrictive firewall for that matter) is
going to be of little help.
> 2) preventing source routing
Good again, but see above.
> 3) blocking agreed upon services
I have already commented on this, but see that some services cannot
easily be mapped to filterese (source/dest, address/port, etc.). You
you might be blocking the services that you consider dangerous *and*
can be filtered. Notice the emphasis on "and".
So, your network at large is not really very secure and cannot
probably be secured without major rethinking/restructuring and a lot
of consensus.
At least you already have some networks more protected so it seems you
are more aware of the issues that I had thought at first (so I
apologize for jumping so fast). The Spanish University I mentioned did
not seem to be, so the depth of the damage is unknown. No one knows
how deep they got, but the fact that disguised sniffers were found is
not comforting. Since all I know about this intrusion is second hand
and off-the-record, it might be pure invention. So those considering
asking (some already have), please refrain, I cannot tell who they are
unless they come forward. But it is worth some thinking even if it
just were an hypothetical case (similar cases have been reported
before anyway).
All the best,
--
Julio Sanchez, SGI Soluciones Globales Internet
Tel/Fax: 91/804 14 05 WWW: http://www.esegi.es
jsanchez @
esegi .
es jsanchez @
gmv .
es
PGP Key fingerprint = E5 29 93 6F 41 4E 00 E2 90 11 A1 8C 72 D0 DE 71
Follow-Ups:
|
|
