Great Circle Associates Firewalls
(March 1993)

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Firewalls and NFS -
From: Marcus J Ranum <mjr @ TIS . COM>
Date: Mon, 22 Mar 93 10:47:46 EST
To: wohler @ sap-ag . de
Cc: firewalls @ GreatCircle . COM

>chris> 4.  It would be real nice if users on our US office network could drive
>chris>     straight through our gateway as if it weren't there.
>  it's easy enough for someone to spoof your us office network and
>  drive straight through your router as well.  this *is* a good
>  problem.  does anyone have any good solutions?

	I'd look into using some kind of tunnelling router or encrypting
router. If you can encrypt point-to-point between your remote offices,
for someone to spoof you, they'd have to inject packets into your crypto,
which would be A Trick. Does KarlBridge do encrypted tunnelling? The
MorningStar tunnelling driver or my tunnelling driver + crypto, would
do the trick. UUNet Technologies has a box they call the LAN Guardian
that does point-to-point crypto at very high speeds, with the ability
to select network peers to do crypto over. You could implement exactly
what you want, using that. With a little creativity in routing, you
could easily implement the moral equivalent of encrypted tunnels,
without interfering with normal internet traffic.

>chris> To reach an internal machine
>chris>     it would be necessary to login to the gateway and then
>chris>     rlogin/telnet again from there.
>  i haven't been able to decide what to do with this and hope to hear
>  more response from the list.  add users to the firewall, and you add
>  too much noise to the logs for them to do any good, as well as
>  adding to the vulnerability of the firewall.  have all users go
>  through a single account and you have a password distribution, and
>  accountability problem.

	I never recommend putting users on firewalls. It's not just a
security problem, it's an administrative hassle. For one thing, you
have to worry about them using up disk space, etc, etc, etc. I like
my firewalls to be something I set up, and more or less forget about
except for when the hardware breaks.

	If you have to, a captive login program that does a chroot to
someplace and drops the user into a simple shell that lets them telnet,
or rlogin to other machines, will do 95% of what you want.

>  unfortunately, there is always a tradeoff: the better the security,
>  the more inconvenient the firewall.  is a convenient, secure
>  firewall desirable?  attainable?

	Convenient, secure firewalls are easily obtained. Granted,
there is always some byproduct of security that is visible, but I
think you can do a pretty good job if you think things through. I
like to think the DEC SEAL is a pretty good compromise between
security and user friendliness, with security taking precedence
where it has to.


Indexed By Date Previous: Re: Firewalls and NFS
From: Bill Wohler <wohler @ hw1175 . sap-ag . de>
Next: Re: Firewalls and NFS -
From: smb @ research . att . com
Indexed By Thread Previous: Re: proxy software? itelnet/iftp? packet screens? X?
From: Rens Troost <rens @ lorax . shearson . com>
Next: Re: Firewalls and NFS -
From: Bill Wohler <wohler @ hw1175 . sap-ag . de>

Search Internet Search