If you authorize a machine on the outside, and grant access to all sessions
from that machine into your private network, then you are susceptable to
an intrusion from an unauthorized person taking control of that machine.
The best "defense" against this is User Authentication and Authorization.
Don't create a rule where you allow all sessions from a machine outside
of your control to form sessions into your private network. Instead, have
each session validated by making the _person_ requesting the session
authenticate themselves (username/password) on the firewall. Also, before
allowing the session to complete, it's a good idea to actually authorize
the session by another rule.
I'm not familiar with Firewall-1, but for firewalls in general, you would
create accounts for Bob and Alice. You would tell your firewall that it's
OK for Alice to telnet (through the firewall) to your internal payroll
machine; but it's not OK for Bob. After that, even if Bob has authenticated
himself with a valid userid/password, he still cannot form a session to
the payroll machine. This works for 'people' initiated sessions - telnet,
ftp, www, etc - but doesn't work for machine interactions like SMTP.
Even if you've got all of that in place, an adept hacker can still place a
packet capturing process on that outside machine, if they can gain control
over that machine. The next time that Alice logs into the payroll machine
(through the firewall) all of the passwords would be captured and stored.
The hacker can use these to gain access to the payroll machine - masquerading
as Alice. The "defense" against this is to use "one time" password
generators - SecureID Cards and the like.
However, even if you get all of this in place, the wiley hacker can still
perform session hijacking to gain access to your internal machines. (See
CERT advisory CA-95:01.)
I don't want to seem altogether pessimistic on the subject - but I do think
that a very determined person can crack any system, given enough time. Even
Mike's systems are not invulnerable. It would just take a very determined
person to get through his defenses - using electronic means.
Take the time to identify your needs and assess your risks. Getting a good
firewall strategy, a good policy and a good monitoring system can allow you
to have a successful and productive Internet connection. With these in place,
you will not be an easy target and you will easily thwart most hacking
Hope this helps,
Houston, TX, USA
At 04:44 PM 12/30/96 -0900, Mike Bernhardt wrote:
>At 7:05 AM 12/30/96, Ralph Docken wrote:
>>Question: If that workstation, which isn't under my physical
>>control, is connected to something else, which I have no control
>>over, could someone on the "something else" network use the
>>validated workstation as a stepping stone through my FW-1? If
>>so, is there some way to detect that? My initial scenario was
>>that some outsider could crack into the poorly defended external
>>workstation, then use telnet or something like that to ride the
>>validated workstation's credentials through my firewall.
>Unless I'm misunderstanding your question, I'd say the result would depend
>on how your authentication is configured. Specifically, is there a period
>of trust, whereby an authenticated workstation doesn't need to
>reauthenticate for a specified period of time when opening new sessions?
>Any new sessions would appear to come from the trusted machine, so there'd
>be no way to know.
>We don't allow any access over the internet to anything. We have secured
>dial-up and isdn access for users that need access from outside. But that's
>us, your needs may be different.
>"He who dies with the most toys, still dies."
Yeah, but the end-game is a lot more fun.