LISTSERV - HP3000-L Archives

HP3000-L Archives

April 1995, Week 2

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L April 1995, Week 2

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: VT/Network Security
From:	Daniel Hollis <[log in to unmask]>
Reply To:	Daniel Hollis <[log in to unmask]>
Date:	Sun, 9 Apr 1995 23:19:43 -0700
Content-Type:	text/plain
Parts/Attachments:	text/plain (52 lines)

> Greetings network security cognoscenti:
>     We have an HP3000 as a node on a local network, along with two
> Novell servers, multiple DTC's and a growing number of PC's.
> Also connected to that LAN is a Cisco 3000 router, supplied by
> Riverside County, which provides our Internet connection.  Riverside
> County refuses to give us (or any of the other school districts connected
> through them to the Internet) any access to their router and its packet
> filtering capabilities.
 
We have the same situation with a couple of our clients. We'd like to
provide them support over the internet but they would like the connectio
to be relatively secure. A couple of them do not have access to the
router so they cannot packet filter.
 
We wrote a program to validate VT connections and reject or allow them
based on a filtering rule file. It works pretty well, but requires that
at the very least two things from their provider:
 
1) They prevent packets with source routing
2) They prevent packets from the outside with a source address the same
as the internal network
 
These two filtering rules are simply common sense, but it is amazing how
many providers don't (or will not) do it. If they won't do this, it's
time to find another provider.
 
One solution may be to buy a cheapo PC and put two ethernet cards in it,
use it as a filtering bridge. We do our filtering with Linux, it works very
well (although we have generic filtering rules in our router, the Linux
filter is more specific for the segment the HP3000 is on).
 
The combination of our software and very basic anti-IP-spoofing rules
should provide adequate security for VT connections (or, anything that
calls "hello" and executes global UDCs). However it cannot protect ftp
connections. For that you really need a router.
 
I would hope that in the next release of MPE/iX that HP implements some
sort of filtering rule system. HP's security in that respect is _very_
lacking.
 
MPE 5.0 gives you internet connectivity, ftp, etc. but without some very
basic firewalling rules it can be next to useless.
 
-Dan
----
------------------------------------------------------------------------------
Dan Hollis                | Seiyuu Daisuki! |    mokkori.jcic.org servers:
JCIC System Administrator | Orikasa Ai      | http:LPA-HOWTO     (Linux page)
http://www.jcic.org/      | Yokoyama Chisa  | http:SM.html  (SM Records page)
[log in to unmask]       |    ("(^_^)")    | Ztalk     (Internet voice mail)
------------------------------------------------------------------------------

ATOM RSS1 RSS2

RAVEN.UTC.EDU