> > Sun uses something called "itelnet" and "iftp" (they also have
> > "iping", most useful). This apparently does the connection
> > to the gateway and send the command to their proxy. This
> > would probably be straightforward to implement for the TIS
> > proxies, but is it so difficult to have users
> > "telnet gateway.alsys.com" then connect to the proxy to
>
> The TIS toolkit does include proxy services for telnet and ftp
> already. They will work in the same manner that the Sun firewall
> software proxies do.
>
I'm intimate with the TIS/Dec SEAL software. The itelnet and
iftp programs speak TO THE PROXIES for you. ie. I type
"itelnet this.host.com" and I get onto the client. It's
easier than teaching "telnet gateway" "connect this.host.com"
the i* commands are NOT the same as the TIS proxies, they are
client used commands that hide the proxies from the users.
This could be implemented with the SOCKS library as mentions. SOCKS
also can allow gopher/WWW/mosaic to work where users get OUT but
nobody gets IN. This doesn't mean hacking the kernel, it means implementing
some new clients (iftp, iping, itelnet and imosaic (or whatever)) that have
been build against the library.
> Lets call the machine "bastion host" rather than firewall - I think it
> is confusing as the "firewall" may consist of one or more "bastion hosts"
> in addition to routers.
Ok.
> You can still have a "firewall" that includes a bastion host that does
> not have IP_FORWARDING turned off in it's kernel. In this case, adding a
> default route on an internal machine could very well accomplish what he
> is trying to do.
DISCLAIMER: I can make Unix work with more ease that I can routers. I
can setup and maintain routers, but I don't know them to the extent
that I can run through the output of "ps", "netstat" and look at
inetd.conf and whatever wrapper/proxy files I have (netperm-table??)
Filtering routers can work, but can they authenticate using a
SecureID? Can the leave a detailed audit trail? Can they allow ftp
users to "get" but not "put"? Can they be easily audited by a Unix
SA? and for smaller companies are they cost efficient? I can take
a US$1300 IPC with an extra ethernet card or just a PPP connection
and have a firewall that I trust. Larger companies would probably
have routers ANYway, so it's an option.
With a filtering router you don't have the auditting/authentication
that an IP blocking bastion host has. If the internet can get through
to the internal net, your not safe. I don't trust routers. Actually I
do. I don't trust how easy it is to have errors in router config
file. There have been router firmware errors that allowed IP spoofing
that compromise their security. These are fixed. What other errors
are there? It's too easy to make a typo there and allow services.
An IP blocking, dual homed bastion host with everything shut off
(except for what you EXPLICITLY turn on) is the config I trust. I have
seen routers where policy is not quite what the administrators expected.
This is my main problem with router/bastion based policies. A fast Unix
box can be enough and be secure and easily verified by a reasonably good
Unix SA.
Chuck Yerkes
chuck .
yerkes @
ov .
com
---------------------------------------------------------------------------
My company hardly acknowledges my existence, let alone my random opinions.
Follow-Ups:
|
|
