Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!utgpu!water!watmath!clyde!rutgers!ukma!david From: david@ukma.UUCP Newsgroups: comp.protocols.tcp-ip Subject: Re: Ethernet Bridge Message-ID: <7603@g.ms.uky.edu> Date: Sat, 31-Oct-87 11:25:45 EST Article-I.D.: g.7603 Posted: Sat Oct 31 11:25:45 1987 Date-Received: Mon, 2-Nov-87 07:09:21 EST References: <8710302138.AA04810@ucbvax.Berkeley.EDU> Reply-To: david@ms.uky.edu (David Herron -- Resident E-mail Hack) Organization: U of Kentucky, Mathematical Sciences Lines: 39 We're also looking around for ether gateway boxes ... One that looks very very very interesting is the LANbridge 100. But there are security concerns. One of the people in our group is going to squack over and over about how insecure we are unless we're behind an IP gateway of some sort. What do people think about the security issues? Right now, the concern is someone creating a situation where one of our equiv hosts is down, the bad-guy boots a machine that says he is the now-down machine and creates an suid shell on another of the equiv machines, then goes away. The assumption is that if we're hiding behind an ip gateway then the gateway can see that these packets coming in from outside, claiming to be from inside our net, aren't valid and will toss them. If we're instead using the LANbridge then we don't have any way of telling that the bad guy is coming in from elsewhere. We made an informal survey of gateway techniques at the AT&T users group meeting last spring in Colorado. (I wasn't there so don't know the details, but...) I was told that the people fell into two groups. One group used IP gateways and the other used ether-level gateways. Not one of the people using IP gateways used them for purposes of security ... Does everybody just ignore the security issue? How do you sleep at night? Oh, we also realize the huge security hole that NFS is as well. Somehow we sleep at nights with that one. At least most of us do, the squacker mentioned above probably doesn't.... :-) -- <---- David Herron, Local E-Mail Hack, david@ms.uky.edu, david@ms.uky.csnet <---- {rutgers,uunet,cbosgd}!ukma!david, david@UKMA.BITNET <---- I thought that time was this neat invention that kept everything <---- from happening at once. Why doesn't this work in practice?