Firewalls: Re: SLIP past the firewall?

Firewalls
(April 1995)

Indexed By Thread: [Previous] [Next]

Subject:	Re: SLIP past the firewall?
From:	cmcurtin @ clipper . cb . att . com
Date:	Wed, 19 Apr 95 00:22:22 EDT
To:	firewalls @ greatcircle . com, ems @ CS . Princeton . EDU

> What are the worst forms of abuse that can happen via SLIP run "past" (or
> around) the firewall? Can I somehow remove from the home machines the
> capability of further extending the network in uncontrolled fashion? And
> will enforcing modem callback substantially reduce the risk?

The biggest problem with this, IMHO, is that you're opening up the possibility
for someone to circumvent your firewall by doing something to one of your user's
home machine - which would be possible of they have connectivity beyond your
network.

For example, my home machine is a Sun, so it'd be very easy for me to allow
dialup access to my system. One of my modems is connected to work, and I'm
therefore behind the firewall. If some ]<raker ]D00D successfully gets into
my home machine, he's got a prompt on a machine behind my company's firewall.
Uh oh. With more and more people getting real operating systems on their home
machines (more folks getting workstation type boxes at home, or getting Unix,
especially free Unix ala Linux, 386BSD, etc), this is becoming more of a threat
than it once was.

In the office, it's fairly easy to come up with rules that people have to
stick to, like "no modems that answer incoming calls allowed," but how do you
deal with these threats when they're coming from an employee's home machine?
Does my employer have the right to tell me that my personal hardware can't be
connected to anything but company networks? Maybe they say I can't be on their
network at the same time that I'm on another machine, but what if someone hacks
me while I'm not connected, and puts in a time bomb that hacks the net from
inside once I connect? This gets tricky, I think.

I've been able to think of other problems (like having a modem pool that could
be hacked) with this scenario, but I'm able to also think of quick solutions
to minimize those threats (such as one-time passwords to not allow dial-in
scripts, password guessing, etc.)

---
C Matthew Curtin
AT&T Bell Labs - Internet Gateway Group            cmcurtin @
 clipper .
 cb .
 att .
 com

Follow-Ups:

Re: SLIP past the firewall?
From: lars @ RNS . COM (Lars Poulsen)

Indexed By Date	Previous:	Re: SLIP past the firewall? From: David MILLER <dpm @ iassf . easams . com . au>
Indexed By Date	Next:	Re: SLIP past the firewall? From: patrick @ calon . com
Indexed By Thread	Previous:	Re: SLIP past the firewall? From: patrick @ oes . amdahl . com (Patrick Horgan)
Indexed By Thread	Next:	Re: SLIP past the firewall? From: lars @ RNS . COM (Lars Poulsen)