Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!dali.cs.montana.edu!caen!uwm.edu!linac!att!ucbvax!FRODO.JDSSC.DCA.MIL!blknowle From: blknowle@FRODO.JDSSC.DCA.MIL (Brad L. Knowles) Newsgroups: comp.protocols.tcp-ip Subject: Re: Setting up a Firewall system, proxy-ftp and proxy-telnet, ... Message-ID: <9104261319.AA15264@frodo.jdssc.dca.mil> Date: 26 Apr 91 13:19:55 GMT Sender: usenet@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 76 Folks, Keith McNeill (), says (in <9104251025.aa08966@louie.udel.edu>): KM> We are setting up an internet gateway at work. Currently, we're going KM> to set it up as a firewall system. And later asks for help setting up a proxy-ftp and proxy-telnet system. My first question is: Why a firewall system? Is it because David Curry in "Improving the Security of Your Unix System" recommends it? Mitch Wright, System Administrator for a large network of machines owned by 7th Communications Group of the United States Air Force (here in the Pentagon), administrator for the Sun-386i mailing list, and in general, a knowledgeable kind of guy about Unix says that a firewall system is not necessary if you set up the security on all of your systems to be as good as that of your proposed firewall system. Additionally, Mitch says that if you are dependant upon your firewall system to protect you from system crackers, and they crack into your firewall system (based upon the presumption that no useful system is 100% cracker-proof), then you are left wide open to any attacks they may make. In fact, you may be even more vulnerable because the security on your other system might be even more lax than it would be otherwise, because you were lulled into a false sense of security because of your firewall system. It was Mitch's arguments that convinced me that David Curry was wrong, perhaps even dangerously so. The short of it is, with good security practices on all of your machines, nothing like what happened to Clifford Stoll (written about in "The Cuckoo's Egg") is likely to happen to you. No matter what machine they crack into, it is just as tough for them to crack into any of your other machines as it was for them to crack into the first. Yes, it does require additional work on your part, but with good perl and rdist scripts, combined with cron jobs, you should be able to reduce this workload significantly. Additionally, you really do get a lot more security, not just the illusion of more security. If you want to talk to Mitch directly on this subject, so that he can get into a more detailed discussion of the subject, his e-mail address is "mitch@hq.af.mil". My second question is: Do you really know what you would be letting yourself into by trying to set up a proxy-ftp and proxy-telnet system? Two vendors that I am aware of have done this in the past (although they may or may not currently have this kind of set up), Sun Microsystems and Digital Equipment Corporation. Both had to write their own custom proxy-ftp and proxy-telnet software, which they appear to have kept proprietary. I understand that there is some work going on in an IETF about standardizing on this kind of thing, but I don't know how far along they are. Jon Postel might be able to update you, but I would guess that he has so many RFC's that he is editing that he doesn't really have the time to stay up-to-date on this stuff. Mike (mo@messy.bellcore.com), later says (in <9104251505.AA04390@bellcore.bellcore.com>): MO> Another alternative is to install (for example) a Cisco gateway that MO> allows incoming packets for telnet, ftp, etc to go to ONLY the gateway MO> machine, but allows outgoing packets to the same ports from any machine MO> to proceed unimpeded. Wow! I didn't know that gateways like the cisco were capable of this kind of thing. Could you elaborate a little more as to how you set up your gateway to do this? Please respond via e-mail. I will summarize and re-post, if appropriate. ________________________________________________________________________ | Brad Knowles | Internet: blknowle@frodo.jdssc.dca.mil | | System Administrator | or: blknowle@wis-cms.dca.mil | | DCA/JDSSC/JNSL | Ph: (703) 693-5849 Fax: (703) 693-7329 | | The Pentagon, Room BE685 |_________________________________________| | Washington, D.C. 20301-7010 | my opinions != DCA's opinions or policy | |______________________________|_________________________________________|