Reply to: RE>Security of Appletalk and D
>I have a user who is trying to tell me that allowing him to log into
>a Mac behind our firewall via a dial-back modem (ie not through the
>firewall) will not reduce the security of our network.
Any entry into a network is a point of possible security breach. Any modem
access, Mac or otherwise, is going to make security more difficult.
>I would be very interested in any comments that people on this
>group have about doing this. In particular:
>
>
>1) Security of dial back modems.
They're more secure than not using dialback, but they don't work well in many
applications such as having roaming employees in the field.
>2) Security of Appletalk Remote Access (the software he wants
>to use which allows his Mac at home to appear to be directly on
>the ethernet).
I haven't used Apple's implementation of personal ARA servers in quite a few
years, but allowing users to set up ARA servers (or any kind of dial-in modems)
willy-nilly on your network is a problem. I think Apple has a utility that you
can run on your network that will stop users from bringing up ARA servers
unless they know a particular password.
If people need ARA access, I suggest you set up a dial-in point that you (as
the network administrator) control. I use an 8-port Shiva LanRoverE and it has
several security features that might make you feel more comfortable.
>3) Security of Appletalk (Ethertalk) generally.
I'd say it's just like any other protocol. If you don't encrypt sensitive data
that you pass over you network (such as passwords), then you could have a
problem.
>His arguments saying that it is safe consist mainly of:
>
>1) The phone number is not listed so noone will find it.
Well, this helps, but someone may find it someday.
>2) They will not be able to subvert the dial-back process.
This would be very difficult to do.
>3) They will not know that they need to talk the Appletalk
>Remote Access protocol if they do get through.
This obviously helps. They may even have to figure out if it is ARA 1.0 or ARA
2.0. It's another hurdle for the cracker.
>4) ARA will prompt for a password so you can't get in without
>knowing it.
And of, course, you also need to know the login. On my server, you get 3 tries
for a correct password. If you fail, that login is disabled. This would
really annoy most hackers, I'm sure.
>5) All of the above need to be false before a breakin can occur.
True. There are many hurdles there.
>6) If they did break into a machine on our network, they
>would not be able to go any further.
This depends on your network and ARA server setup.
>I suggested that all they would need is a packet sniffer and
>they could go a LOT further.
First off, packet sniffing on an ARA link wouldn't do them much good. About
all they could see are packets destined for their node and some broadcasts.
Again, what they can see depends on your ARA server setup.
>His response was that there are not any generally accessible
>packet sniffers available for Macs, only some very expensive
>commercial ones.
Oh, they're out there, but they're not of much use on an ARA link.
George
|
|
