Path: utzoo!utgpu!news-server.csri.toronto.edu!mailrus!tut.cis.ohio-state.edu!ucbvax!RICE.EDU!almes
From: almes@RICE.EDU (Guy Almes)
Newsgroups: comp.protocols.tcp-ip
Subject: Re: dial-up access to the Internet
Message-ID: <9005251505.AA27779@iapetus.rice.edu>
Date: 25 May 90 15:05:34 GMT
Sender: daemon@ucbvax.BERKELEY.EDU
Organization: The Internet
Lines: 38



robjohn@ocdis01.af.mil (Robert Johnson (CDC Contractor);CDC;) writes:<<
  But that's not how the real world works - right?  I get a the willies about 
  letting anyone dial up and get on the Internet without authentication and 
  audit trail.  That would seem to invite abuse.  The open-door "guest" account 
  is an invitation to disaster (or hassle, if the FBI asks why your system 
  allowed the bad guy access to the Internet).  Unfortunately, all sites seem 
  to have their share of traveling dignitaries who need to check their email 
  in some other corner of the world.
>>

Bob makes a good point which I'd like to strengthen.  The Federation of
American Research Networks (FARnet) has gone on record as urging its mid-level
networks and the campuses they serve to dis-allow any unauthenticated access
to the Internet.  Specifically, terminal servers that require no authentication
and then allow the caller full access to the Internet must be reconfigured to
either require authentication or to provide access only to a set of hosts on
campus that *do* require authentication.

I also like his later example of how to be both courteous and careful:<<
  To handle these, we set up a "guest" account which is password protected.
  When a user logs into this account, they see a list of systems that they
  can connect to.  When a travelling dignitary comes on base, our customer
  support folks offer the courtesy of using the guest account, and provide
  him with the current password (they also make sure the right "home system"
  is currently on the menu).  After he leaves, they change the password on
  the account.  No logins to this guest account are allowed over modem or
  >from the Internet.  The user must be "on base" to use the account.  Not
  only are we controlling guest access, but visitors are impressed by our
  "thoughtfulness" in providing them with this "phone home" capability,
  without them having to ask for it.
  
  Bob Johnson
  Tinker AFB
>>
This is one example, among many possibilities, of how to be responsible.
	-- Guy Almes