Firewalls: Re: Point of no gain

Firewalls
(March 1996)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Point of no gain
From:	Michael Dillon <michael @ memra . com>
Organization:	Memra Software Inc. - Internet consulting
Date:	Tue, 26 Mar 1996 23:31:03 -0800 (PST)
To:	Andrew Molitor <amolitor @ anubis . network . com>
Cc:	firewalls @ GreatCircle . COM
In-reply-to:	<9603261718 . AA05250 @ anubis . network . com>

On Tue, 26 Mar 1996, Andrew Molitor wrote:

> 	The hard part (or at least A hard part) of intranet firewalls
> is designing an access policy that actually does some restriction and
> also lets people do their jobs, without utterly busting everything.
> The amount of goo that flies about the network when someone telnets
> from how A to host B and logs in is simply astonishing.
> 
> 	- TCP, to carry the telnet
> 	- NIS, to get a password entry

This could be replaced with RADIUS although I don't know of anyone 
currently using this on an internal network. I do know that some FreeBSD 
and Linux ISP's have hacked RADIUS into the login command in order to 
build terminal servers out of UNIX boxes.

> 	- RPC, to figure out NFS foo
> 	- NFS to access the user's home directory (technically, I
> 	  guess this is RPC too, but it usually uses nailed up ports etc,
> 	  so it's sort of different)

I have never tried to firewall NFS or Netbios but my understanding is 
that Netbios/SMB only uses 3 sockets. What about NFS over TCP?

> 	at the very least, in a typical Sun based setup. I've probably missed
> a couple of important things. Restrict any of this, and stuff breaks, your
> phone spontaneously combusts, and you back it all out. What you need to do is:

Maybe the manufacturer of SunSCREEN can be encouraged to make their 
networking software, i.e. NFS et al., easier to firewall?

> low. You have a much harder time selling this sort of thing into an internal
> network, where things really have to work, where performance does matter,
> where policy matters, and so on. Everyone knows you really should approach
> all network security stuff from an incremental, years-long, fully staffed
> point of view, but for intranets it's a lot harder to cut corners.

The more we can get network admins into a security mindset, the more we 
will get vendors to build products that can be managed by mere mortals 
without compromising security and opening zillions of plug-gateways. It 
may be worthwhile adding firewall concerns to the standard checklist of 
questions that you ask every vendor of every product that goes on your 
network.

Michael Dillon                                    Voice: +1-604-546-8022
Memra Software Inc.                                 Fax: +1-604-546-3049
http://www.memra.com                             E-mail: michael @
 memra .
 com

References:

Re: Point of no gain
From: amolitor @ anubis . network . com (Andrew Molitor)

Indexed By Date	Previous:	Re: JAVA From: Colin Campbell <sgcccdc @ citec . qld . gov . au>
Indexed By Date	Next:	AW: Re: Re[2]: Redundant Internet Connec From: "Augustin, Ulrike, I+K/EuroNet" <Uaugust @ MSMIKT . hoechst . hoechst-ag . d400 . de>
Indexed By Thread	Previous:	Re: Point of no gain From: Ian Johnstone-Bryden <ianj-b @ dial . pipex . com>
Indexed By Thread	Next:	Re: Point of no gain From: amolitor @ anubis . network . com (Andrew Molitor)