> We are designing our firewall. It will use a single login account which
> administers the challenge-response authentication (user then can telnet
> into whatever internal system he/she needs). However, we are stuck with
> a problem that I can not seem to resolve. How does one keep a secure
> firewall that allows people to use UUCP? Ive thought and thought, but
> about the only thing I can think of is this:
>
> Bastion host contains the required UUCP logins with use the 'uucico'
> for the shell and also contains the 'validator' account. It also
> has some number of modems.
> Another system on the internal net has all user accounts and a uucppublic
> directory. In addition, this system contains some modems with NO GETTYs
> running on them (They are outbound only). Users inside the net can uucp
> or use 'tip' from this 'uucphost'. All incoming UUCP is sent to the
> bastion host which has the 'uucphost's uucppublic directory mounted
> via NFS.
>
> The problems I see with this are that the bastion must have SOME idea
> of who the recipient of a file is - I would prefer not to have to add
> ANY accounts to passwd even if the shell were '/bin/false'. Next, it would
> require that the bastion have enuff NFS smarts to mount that partition,
> thus I dont know what other vulnerabilities I might encounter.
>
> Is this the best solution for this? What has anyone else done?
> It seems a shame to build a firewall and then leave some modems
> hanging out in the breeze unprotected!
> BTW - All interactive dial-in has been addressed seperately so
> the UUCP concern can be resolved without regard to interactive modems.
> Thanks,
I posted the above message and got several responses (Thank you very much),
however, I believe I must have mis-represented my goals. What I need to know
is how does one setup a UUCP Relay? I am going to have some problems when
I implement the accountless bastion host. Basically, I want several
internal systems to know about 1 particular system (also internal). This
other system would be the only one to know about the bastion host and
the bastion host would only know him and outsiders. I need in-bound
UUCP to pass thru the bastion onto the one internal host and I also
need my UUCP-only outbound News feeds, to pass from the internal
newshost to the uucphost which then passes it to the bastion
(or dials out on an outbound only modem pool [no gettys on modems
to internal hosts])
As you can see, the TCP portion of installing a firewall is pretty
straight forward for me, but the UUCP issues throw a real wrench
in the works. If you can't help me directly, can you point me to
a resource that addresses these? (I already have and have read
the following O'Reilley books that seem kinda related:
TCP/IP, Managing UUCP and Usenet, Practical Unix Security)
Thanks again.
--
PATRICK LARKIN <plarkin @
iphase .
com> System Administrator, Interphase Corp.
begin 644 plarkin.sig
M(" @(" @("!296QA>"XN+ @
H@(" @(" @(" @(" @(" @1&]N)W0 @
5V]R<GDN
L+BX*(" @(" @(" @(" @(" @(" @(" @(" @2&%V92!A($AO;65B<F5W(0HN
end
|
|
