Firewalls: Re: SLIP past the firewall?

Firewalls
(April 1995)

Indexed By Thread: [Previous] [Next]

Subject:	Re: SLIP past the firewall?
From:	David MILLER <dpm @ iassf . easams . com . au>
Date:	Wed, 19 Apr 1995 10:49:51 +1000 (EST)
To:	firewalls @ greatcircle . com
Cc:	Ed Strong <ems @ CS . Princeton . EDU>
In-reply-to:	<9504182141 . AA27992 @ cs>
References:	<9504182141 . AA27992 @ cs>

I've been setting up a system just like what Ed has been asked to do.
The only thing is, we don't have an IP link to the Internet, we just use
UUCP at the moment.

Thinking about it the biggest hassles (that I can see) are:
	
	Crackers getting in via your modems.
	Users with multiple connection from their home computers (home
networks, bbs). If 	they allow IP forwarding and routing other
non-friendles may get in.
	Other people using authorised people's PCs or whatever.

A number of my users actually use Linux PCs so it would be quite easy
for them to have mutiple links up.

I have setup a firewallish machine to enable the slip links. At the
moment it allows IP Forwarding for convenience :-(. It does have filters
on what packets are allowed through. Direct access is only allowed to a
couple of internal systems. Everything is logged. 

I use dial-back modems to ensure (?!) that only authorised users'
systems can get at a login. The modem waits log enough for the teleco to
disconnect before dialling back.

I then use skey to force one time passwords. I don't want people
hardcoding passwords into dial-up scripts so that someone else can just
hit a button and get on. This has drawbacks - the password lists are
insecure.

I managed to do this rather cheaply with a PC. It's not perfect, but I
have a fair amount of control over what can be done.

I also have agreements with the users that they will avoid having two
connections active simutaneously etc. But just in case ... Mind you a
number of users think I'm being overly security consious :-).

Excerpts from firewalls: 18-Apr-95 SLIP past the firewall? Ed
Strong @
 CS .
 Princeton .
 E (534)

A group of influential people would like to run SLIP from their homes
to machines behind the firewall. I've explained that this reduces network
security to the level of the weakest password, however this does not convince.

What are the worst forms of abuse that can happen via SLIP run "past" (or
around) the firewall? Can I somehow remove from the home machines the
capability of further extending the network in uncontrolled fashion? And
will enforcing modem callback substantially reduce the risk?



David Miller, Unix System Administrator
Easams Australia	
Direct +61-2-367 4572	Fax +61-2-367 4566
Unit 5, 2 Giffnock Ave, North Ryde, NSW 2113

Follow-Ups:

Re: SLIP past the firewall?
From: peter @ nmti . com (Peter da Silva)

References:

SLIP past the firewall?
From: Ed Strong <ems @ CS . Princeton . EDU>

Indexed By Date	Previous:	Re: holes in firewall From: smb @ research . att . com
Indexed By Date	Next:	Re: SLIP past the firewall? From: cmcurtin @ clipper . cb . att . com
Indexed By Thread	Previous:	SLIP past the firewall? From: Ed Strong <ems @ CS . Princeton . EDU>
Indexed By Thread	Next:	Re: SLIP past the firewall? From: peter @ nmti . com (Peter da Silva)