Great Circle Associates Firewalls
(September 1992)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

From: uucp @ wattres . SJ . CA . US (UUCP administrator)
Date: Fri, 25 Sep 92 17:45:42 GMT
To: firewalls @ GreatCircle . COM

Newsgroups: firewalls
Path: wattres
From: uucp @
 wattres .
 SJ .
 CA .
 US (UUCP administrator)
Subject: Re: none + some VS all - some 
Reply-To: firewalls @
 GreatCircle .
 com
Organization: Steven Watt, Consultant   San Jose, CA, USA
Distribution: local
Date: Fri, 25 Sep 1992 17:44:55 GMT
Message-ID: <1992Sep25 .
 174455 .
 21129 @
 wattres .
 SJ .
 CA .
 US>
Sender: uucp @
 wattres .
 SJ .
 CA .
 US (UUCP administrator)

Newsgroups: firewalls
Path: wattres
From: Amos Shapira <amoss @
 cs .
 huji .
 ac .
 il>
Subject: Re: none + some VS all - some 
Reply-To: firewalls @
 GreatCircle .
 com
Organization: Steven Watt, Consultant   San Jose, CA, USA
Distribution: local
Date: Fri, 25 Sep 1992 13:42:15 GMT
Message-ID: <1992Sep25 .
 134215 .
 11895 @
 wattres .
 SJ .
 CA .
 US>
Sender: uucp @
 wattres .
 SJ .
 CA .
 US (UUCP administrator)

In message <9209242345 .
 AA11944 @
 gorn .
 hal .
 com> jonl @
 hal .
 com (frederick smythe,
esquire)  writes:
|proxy type service.  my plan was to allow all incoming connections - 
|connects to ports < 1024 OR a specific list of other dangerous-type
|ports (like the X server).  i'm aware that this means that someone can
|run their own program from inside which could be a major security problem,
|but since i haven't had time to convert our firewall machine to a config
|which doesn't let all the users have login access, that is already the case.
|my main questions i have right now are...

[ deleted ]
|2) are there any other issues which i may not be aware of?

I think you might be interested in the "established" parameter in the extended
access-list provided by Cisco.  This will allow you to initiate any TCP
connections to outside, and let the outside machine respond to the connection,
but will not allow outside machines to initiate a TCP connection.  This is
how I plan to install the firewall here.

I'm aware that this is not 100% ideal (one drawback which immidietly comes to
mind is having an outside machine spoofing an outbound connection and start to
pretend it's answering it instead of the real addressee,  I guess Kerberose
can block such an attack but this is not a firewall issue), but it must be
much better than being completly open to thw world (and also I don't believe
any student/kido-level cracker will invest so much in infliterating to a
Uni...).

Any opinions about impruvments in this direction are welcome (but one corner
stone of our firewall is that it shouldn't require any special software for
normal operation, we hate replacing vendor-supplied software by localy-
writen specialized software which has to be updated every once in a while).

|
|--jon

--Amos Shapira

CS System Group, Hebrew University, Jerusalem, Israel
amoss @
 cs .
 huji .
 ac .
 il


Indexed By Date Previous: [no subject]
From: uucp @ wattres . SJ . CA . US (UUCP administrator)
Next: [no subject]
From: uucp @ wattres . SJ . CA . US (UUCP administrator)
Indexed By Thread Previous: [no subject]
From: uucp @ wattres . SJ . CA . US (UUCP administrator)
Next: [no subject]
From: uucp @ wattres . SJ . CA . US (UUCP administrator)

Google
 
Search Internet Search www.greatcircle.com