Firewalls: Re: Opinion requested

Firewalls
(January 1994)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Opinion requested
From:	bdboyle @ maverick1 . erenj . com (Bryan D. Boyle)
Date:	Wed, 5 Jan 1994 11:30:53 -0500
To:	firewalls @ GreatCircle . COM
In-reply-to:	hobbit @ ftp . com (Hobbit) "Opinion requested" (Jan 5, 9:58am)
Posted-date:	Wed, 5 Jan 1994 11:30:53 -0500
References:	<9401051456 . AA27758 @ ftp . com>

On Jan 5,  9:58am, *Hobbit* wrote:
> Subject: Opinion requested
> I had this exchange with someone recently, after asking him why a machine
> under his purview was logged sniffing around our networks:
>  ...
> ==============
> Date: Tue, 4 Jan 94 16:12:54 -0500
> From: mib @
 gnu .
 ai .
 mit .
 edu (Michael I Bushnell)
> Subject: Re: mounting..
> 
>    Date: Tue, 04 Jan 1994 14:25:28 EST
>    From: hobbit @
 ftp .
 com (*Hobbit*)
> 
>    au contraire. I believe it is valid to assume that anyone trying to NFS-mount
>    our machines is up to no good.  Maybe not your machines, but definitely
>    our machines.
> 
> Looking for an nfs mount is no more intrusive than looking for an
> anonymous FTP connection.  
> 
> 	-mib
> ==============
> 
> Now, where do firewallers' opinions tend to align??
> 

I would tend to align on the side of letting his domain sysadmin know (1st step)
of his activities (gotta love that logging...)

I would tend to view this as a somewhat obnoxious event, about on par with
banging at the firewall to see what ports are available for connection, and
then trying them out to see what you can find.  

IMHO, anonymous FTP is a public *service* you provide so as to limit or control
the amount or types of information you make available to the public.  It has
a clearly-defined directory structure, as well as (or should have) a clearly-
defined statement of purpose and controlled contents.

Channel-surfing for stray NFS mounts is not the same, unless those nfs 
mounts are there for public access.  NFS is not a common method of access
across the net (i don't think...correct me if I am wrong, but I am thinking 
of this in the same arena as anon/ftp) between non-affiliated organizations.

Just because I have data (by definition, as a net/sys admin, I do...)
does not mean that I am making it available to you for whatever you want
to do with it.  As a firewall admin, I have shut down all services I deem
as not being germaine to my connection to the world.  And, since I decide what
services I allow or not, and the user is probing a connection I am responsible
for, he/she/it should respect my wishes once they are made known to them.
It is not open for debate, especially with some net.critter outside of 
my jurisdiction.

Just my $.02, your mileage may vary.

-- 
Bryan D. Boyle        |Physical: ER&E, Rt. 22, Clinton, NJ 08801
#include <disclaimer> |Logical: Cogito sum, ergo sum, cogito.
(908) 730-3338	      |Virtual: bdboyle @
 erenj .
 com

References:

Opinion requested
From: hobbit @ ftp . com (*Hobbit*)

Indexed By Date	Previous:	Re: Opinion requested From: Alec . Muffett @ UK . Sun . COM (Alec Muffett - Sun IS - System Administrator)
Indexed By Date	Next:	[no subject] From: long-morrow @ CS . YALE . EDU (H Morrow Long)
Indexed By Thread	Previous:	Opinion requested From: hobbit @ ftp . com (Hobbit)
Indexed By Thread	Next:	Re: Opinion requested From: nreadwin @ london . micrognosis . com (Neil Readwin)