On Tue, 26 Mar 1996, Andrew Molitor wrote:
> The hard part (or at least A hard part) of intranet firewalls
> is designing an access policy that actually does some restriction and
> also lets people do their jobs, without utterly busting everything.
> The amount of goo that flies about the network when someone telnets
> from how A to host B and logs in is simply astonishing.
> - TCP, to carry the telnet
> - NIS, to get a password entry
This could be replaced with RADIUS although I don't know of anyone
currently using this on an internal network. I do know that some FreeBSD
and Linux ISP's have hacked RADIUS into the login command in order to
build terminal servers out of UNIX boxes.
> - RPC, to figure out NFS foo
> - NFS to access the user's home directory (technically, I
> guess this is RPC too, but it usually uses nailed up ports etc,
> so it's sort of different)
I have never tried to firewall NFS or Netbios but my understanding is
that Netbios/SMB only uses 3 sockets. What about NFS over TCP?
> at the very least, in a typical Sun based setup. I've probably missed
> a couple of important things. Restrict any of this, and stuff breaks, your
> phone spontaneously combusts, and you back it all out. What you need to do is:
Maybe the manufacturer of SunSCREEN can be encouraged to make their
networking software, i.e. NFS et al., easier to firewall?
> low. You have a much harder time selling this sort of thing into an internal
> network, where things really have to work, where performance does matter,
> where policy matters, and so on. Everyone knows you really should approach
> all network security stuff from an incremental, years-long, fully staffed
> point of view, but for intranets it's a lot harder to cut corners.
The more we can get network admins into a security mindset, the more we
will get vendors to build products that can be managed by mere mortals
without compromising security and opening zillions of plug-gateways. It
may be worthwhile adding firewall concerns to the standard checklist of
questions that you ask every vendor of every product that goes on your
Michael Dillon Voice: +1-604-546-8022
Memra Software Inc. Fax: +1-604-546-3049
http://www.memra.com E-mail: michael @