Path: utzoo!utgpu!news-server.csri.toronto.edu!rutgers!usc!jerico.usc.edu!kmeyer
From: kmeyer@jerico.usc.edu (Kraig R. Meyer)
Newsgroups: comp.protocols.tcp-ip
Subject: Re: Reducing the risks when conencting to an internet
Message-ID: <28376@usc>
Date: 25 Nov 90 03:20:35 GMT
References: <3768@stl.stc.co.uk>
Sender: news@usc
Reply-To: kmeyer@usc.edu
Organization: University of Southern California, Los Angeles, CA
Lines: 25
Nntp-Posting-Host: jerico.usc.edu
Originator: news@jerico.usc.edu

In article <3768@stl.stc.co.uk>, neil@stl.stc.co.uk writes:
|>...We wish to reduce the risk of unwanted external vistors
|>as far as possible, whilst allowing our internal users access to other
|>hosts.
|>
|>One possibility is to acquire a device to sit between our backbone and
|>the outside world. This device would be programmable so that I could
|>authorise connections on a per host, per port, per direction basis.

Depending on how much isolation you want from the outside world, another
option (besides using filtering at the TCP/IP level in a router) is to
use a unix box as an application level gateway.  This is definitely an
inconvenience to your users, which may or may not be a good thing depending
on what your isolation goals are and how paranoid you are.

For example, you can configure sendmail to forward mail in both directions
and then only give accounts on the gateway unix machine to those people who 
you want to allow ftp/telnet/etc access to the outside network.  That makes
access on a per-person basis, rather than on a per-IP-address basis.
Filtering in the way you've described would not, for example, prevent an
internal user from spoofing IP addresses (if that is an issue).
---------------------------------------------------------------------------
| Kraig R. Meyer		   		          kmeyer@usc.edu  |
| University of Southern California                          Los Angeles  |
---------------------------------------------------------------------------