Great Circle Associates Firewalls
(March 1993)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: Appletalk through firewalls.
From: johng @ weema . chi . uwa . edu . au (John Gibbins)
Date: Wed, 3 Mar 93 16:34:21 WST
To: firewalls @ GreatCircle . COM

Mark Verber <verber @
 parc .
 xerox .
 com> states:
> > We currently have a firewall which does not permit logins from outside
> > into our network (basically just allowing DNS, SMTP and established IP
> > connections).  I am under some pressure to allow Appletalk (ie ethertalk)
> > through the firewall.  Ideally I would like to limit it to just allowing
> > us to access remote services and external access to us.
> 
> I find the request to permit AppleTalk through your firewall somewhat
> mystifying.  How are people planning to get AppleTalk to your network?
> No network provider that I know of is routing AppleTalk so who would be
> using this hole in your firewall, and how would they get AppleTalk packets
> to your firewall?

We DO have network providers routing Appletalk.

AARNet (Australian Academic and Research Network of which we are part) 
is connected together via cisco routers which can support routing of 
ethertalk packets.  They allow filtering by network numbers and (I believe
in the latest release) by zones.  We also have a PC running karlbridge which
can also do some appletalk filtering.

The University of Western Australia (UWA) hub router currently routes
Ethertalk so UWA users can see zones around campus and zones at another
local university.  I don't think ethertalk is being routed outside the
state (ie to/from the national hub) so I am most concerned about local
crackers as I doubt it would be possible for attacks to occur from 
outside the state (unless they broke into a UWA machine via IP first).

Allowing ethertalk through our departmental cisco or karlbridge would be
to allow us to access appletalk printers (and possibly servers) at UWA.
How secure would limiting access to specific zones/networks via the cisco
be?
KarlBridge (V1.4) allows for filtering of remote apple printers.  Would
this be reliable.  I guess I should ask Doug Karl how this is done.

I would have no control over the remote sites that we would be talking to
so I don't think that tunnelling would be an option (I can't make them
un-encapsulate [yech - is there such a word?]).

I am looking at zero cost solutions so hardware devices that provide
secure IDs would not be a workable solution for us (we don't have any
blind staff who wouldn't be able to read them :-).

> AppleTalk doesn't have reserved ports to filter on, nor does it have
> fixed addresses.  Everything is dynamically bound on the fly to a name
> space.  The name space don't have authoritative servers so anyone can register
> a name.  The result is that AppleTalk is great for small scale plug and play
> networks.  It is a disaster for large scale secured networking.  Under no
> conditions would I permit an AppleTalk router into my secured network.
> 

I am particularly interested in why you would not allow an AppleTalk router
into your secured network.  My gut feeling was to agree, but I'd like to 
be able to justify it.  Is it the inability to securely identify the
remote nodes for logging/packet-filtering?

-- 
John Gibbins                           The Western Australian Research Institute
The University of Western Australia      for Child Health Ltd     ,-_|\
email:  johng @
 chi .
 uwa .
 edu .
 au           GPO Box D184              /     \
Phone:  +61-9-3408547                  PERTH  W.A. 6001          *_,-._/
Fax:    +61-9-3883414                  AUSTRALIA                      v
"Nothing is foolproof as fools are so ingenious"


Indexed By Date Previous: tcpr ftp bug fix release 1.1.3
From: "G. Paul Ziemba" <paul @ alantec . com>
Next: Re: Should packets just be dropped...
From: Amos Shapira <amoss @ cs . huji . ac . il>
Indexed By Thread Previous: Re: Appletalk through firewalls.
From: davidl @ Newbridge . COM (David Law)
Next: Re: Appletalk through firewalls.
From: johng @ weema . chi . uwa . edu . au (John Gibbins)

Google
 
Search Internet Search www.greatcircle.com