Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!utgpu!water!watnot!watmath!clyde!cbatt!ukma!brian
From: brian@ukma.UUCP
Newsgroups: comp.unix.wizards
Subject: Internet security question.
Message-ID: <6058@ukmf.ukma.ms.uky.csnet>
Date: Tue, 10-Mar-87 20:31:07 EST
Article-I.D.: ukmf.6058
Posted: Tue Mar 10 20:31:07 1987
Date-Received: Wed, 11-Mar-87 20:47:06 EST
Sender: news@ukma.ms.uky.csnet
Organization: U of Kentucky, Mathematical Sciences, Lexington KY
Lines: 23


We will soon be attached to the internet, and I have some concerns about
how our systems should be connected.  We are running 4.3BSD+NFS
on several vaxes communicating over ethernet. As the ethernet
contains only machines which are "trusted" most of the hosts are
equivalent to each other.  My question is what happens when one of these
hosts is connected  to the outside world.  I assume that  it would be
a good idea to bring the outside in through a seperate device,but even
so how do I prevent soemone on the outside  from passing packets
which make him appear to be one of our "equivalent" hosts?
An example may clarify what I mean.  Lets say that our local net is
100 and the "outside" net is 101. Since I want all of the machines on
net 100 to be able to talk outside I setup the machine attached
to both   as a gateway by telling my machines to send all unroutable packets
to 101 (right?). Now what keeps Nasty person X on on net 201 (attached
to 101) from claiming to be on net 100 and thus enjoying the
equivalent privledges? Is there some way to configure 4.3 to do this for me that
I do not see?  How do big sites handle this?

-- 
           Brian Sturgill          System Manager
University of Kentucky Departments of Mathematical Sciences
 cbosgd!ukma!brian, brian@UKMA.BITNET, brian@ms.uky.csnet