Newsgroups: comp.unix.ultrix Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!caen!ox.com!ox.com!emv From: emv@ox.com (Ed Vielmetti) Subject: Re: Internet security? In-Reply-To: mogul@pa.dec.com's message of Thu, 18 Apr 91 01:05:03 GMT Message-ID: Sender: usenet@ox.com (Usenet News Administrator) Organization: OTA Limited Partnership, Ann Arbor MI. References: <1991Apr18.010503.28085@pa.dec.com> Date: Thu, 18 Apr 1991 04:04:06 GMT In article <1991Apr18.010503.28085@pa.dec.com> mogul@pa.dec.com (Jeffrey Mogul) writes: Not precisely the same thing, but Ultrix 4.2 will include the "screend" program. If you use an Ultrix system as a router, screend will allow you to control access at the router (instead of at the end system). This is more convenient when you are dealing with a large collection of hosts that have to be protected. For more information, see my paper in Proc. USENIX Summer '89, or wait for the documentation on the Ultrix 4.2 kit. I would bet that the software in decuac.dec.com:/public/sources/screend.tar.Z would give you a taste of what's in 4.2, though from looking at the package it's a beta version rather than final product. If you don't have the USENIX Summer '89 proceedings, the papers in this package (or at least the preprint is). It would appear that it might also be available by mail to "wrl-techreports@decwrl.dec.com"; send a message with the subject "help" for more instructions. The paper is "Simple and Flexible Datagram Access Controls for Unix-based Gateways", March 1989. Note that port-based router security doesn't help you anything if you have evil people on the inside connecting to their accomplices outside; even the most innocuous of "well-known ports" can be hijacked to use to tunnel datagrams through. I don't recall the exact reference, but I believe something along these lines was presented at a Usenix by some Bell Labs folks, the name "greyer" (instead of "blacker") comes to mind. -- Msen Edward Vielmetti /|--- moderator, comp.archives emv@msen.com "With all of the attention and publicity focused on gigabit networks, not much notice has been given to small and largely unfunded research efforts which are studying innovative approaches for dealing with technical issues within the constraints of economic science." RFC 1216