Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!usc!ucsd!ucbvax!bloom-beacon!eru!hagbard!sunic!mcsun!ukc!stl!neil
From: neil@stl.stc.co.uk
Newsgroups: comp.protocols.tcp-ip
Subject: Reducing the risks when conencting to an internet
Message-ID: <3768@stl.stc.co.uk>
Date: 23 Nov 90 14:53:58 GMT
Sender: news@stl.stc.co.uk
Reply-To: neil@stl.stc.co.uk ()
Organization: STC Technology Limited, London Road, Harlow, Essex, UK
Lines: 41


We are starting the planning process to connect our large internal network
to an internet. We wish to reduce the risk of unwanted external vistors
as far as possible, whilst allowing our internal users access to other
hosts.

One possibility is to acquire a device to sit between our backbone and
the outside world. This device would be programmable so that I could
authorise connections on a per host, per port, per direction basis.

So, for example I have network 128.199, I could have an authorisation
file like:-

# Source		Dest		Comment
# host.port		host.port

*.smtp			mymailgw.smtp	Mail service inbound
mymailgw.smtp		*.smtp		Mail service outbound
128.199.200.*.ftp	*.ftp		FTP
128.199.200.*.telnet	*.telnet	Telnet


So, from the above, my mail gateway could send out to anybody, and anybody
can send to my mail gateway (and no where else). Any machine on my local
200 subnet can ftp or telnet to anywhere, but no inbound conenctions are
allowed.


Is this possible, or are we thinking in completely the wrong way ?
At this stage it isn't necessary that the device exists in the UK,
we can import if necessary.

The device probably needs to understand name servers as well.

We also have an eye on the future, so the Vendor would need to offer
support for OSI protocols.

Neil Todd			| ..In general, it is best to assume that the
PSI%234237100122::neil		| network is filled with malevolent entities
neil@stl.stc.co.uk		| that will send in packets designed to have
STC Technology Ltd		| the worst possible effect...