Thanks for the notes.
The orielly book explains the need for high numbered ports..i'll read that.
My reason for stopping telnet was to reduce the access users outside would have to our unix
machine inside. (ie to try to reduce password guessing) Is this pointless if ftp is allowed?
(even assuming only anon ftp i guess it would be)
To let ftp out but not in is it possible to only allow ftp conversations to be intiated from inside?
If i could use NT as the firewall that would be great (i know a heap more about NT than the
flavours of unix) but our UK (i'm actually in australia) office had stopped using NT as they were
concerned about the security of NT itself.
I'm off to do some more reading.
PS: getting a valid ip net is easy over here -> Local ISPs..
I've already picked up fwtk.
>>> <x85899c4 @
cadet2 .
usma .
edu> 21/May/1996 06:33pm >>>
Scott,
Glad that I could be some help - I'll intersperse some comments in your message below and
then conclude at the end.
> and traffic is usually telnet, ftp, X, smtp, groupwise-mail
> > What I think you need to know..
> > We need to protect
> Netware servers.
> NT workstations (no servers, but the same I guess)
> Sun SparcStations.
>
I haven't worked much with NT, only read about it so I can't confirm that my solution will work
for NT. You might want to look into a product called Eagle Raptor for NT - I think there is a
freeware version that might be of assistance as an application level gateway for your NT
clients.
> > I would like to allow FTP and Web/HTTP
> I don't need telnet.
If you are going to allow ftp, you might as well allow telnet because the only difference is the
conversation with a server at a different port. They both require you to allow high numbered
ports to talk through your firewall. Do you understand why? If not, I'll gladly explain - don't
really know how much you know! :-)
> > Firewall needs to allow IP only (no IPX, netbeui, netbios)
> The inteneded use of the link is for us to get OUT not for others
> to get in.
What kind of router do you have? If you have a multi-interface router, than you can apply a set
of packet filters to the inbound interface which will disallow everything except for
conversations with NTP (network time protocol, which is basically secure) and mail.
> > My thought is that we only allow through the bare minimum to
> permit FTP/HTTP and that this will in effect protect us?
> > PROBLEM #1.
> We don't have valid IP networks (169.xxx, 170.xxx, 69.xxx)
> Do we use a gateway for this?
>
You are going to definately have a problem here. This is where I would begin your work,
because without valid IP addresses you can't do much because people can't talk back to you.
For example, if you make up an IP address the DNS databases won't know to send the
information to you. I could tell you how to get a Class C address here in the states pretty
easy, but I can't be of much help in the UK -- try to maybe call a local university and see if they
will give you a subnet of their IP domain, or maybe call the name administrator for the uk
domain. This is your first perogative though...
> > I saw a demonstration of WinGate for NT which would allow us to
> access the net with invalid addresses but this was insecure.
>
You're definately going to have problems with any kind of internet connectivity if you don't
have recognized IP address. Start there, and then you can add a simple packet filtering
firewall that should be enough to let you do what you want. Look into a passive-mode FTP
client - again, if you don't know what passive-mode is just send me a reply and I'll explain
more. That makes it a lot safer to let FTP through.
Hope this is at least a beginning for you -- my recommendations are just that you start
looking at Trusted Information Systems Firewall Toolkit (fwtk). You can get this via ftp at
ftp.tis.com if you have an alternate way to use ftp. If not, then drop me a line and I will pick up
a copy and send it to you encoded in an email message.
Good luck - if you need more info just ask!
Jesse ***********************************************************
Jesse Whyte
(914)938-4120 x85899c4 @
cadet2 .
usma .
edu
REAL PORTION of Microsoft Windows code:
while (memory_available) {
eat_major_portion_of_memory (no_real_reason);
if (feel_like_it)
make_user_THINK (this_is_an_OS);
gates_bank_balance++;
}
|
|
