LISTSERV - HP3000-L Archives

HP3000-L Archives

April 1996, Week 2

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L April 1996, Week 2

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Alpha FREEVT3K available
From:	Dan Hollis <[log in to unmask]>
Reply To:	Dan Hollis <[log in to unmask]>
Date:	Mon, 8 Apr 1996 11:04:00 PDT
Content-Type:	text/plain
Parts/Attachments:	text/plain (43 lines)

>On Fri, 5 Apr 1996, Dan Hollis wrote:
>> I don't think it would matter -- you can't wrap VTSERVER anyway. The only
>> thing you can do is firewall it (or proxy it, but I don't think anyone has
>> done this). And if you have a firewall, tcp wrappers gain you very little.
>  Not just for NS services, but if telnet servers et al are coming witn
>MPE/iX 5.5, then it may not be a bad idea.  To allow certain users at
>certain hosts to pass through, and to actually log hacking attempts with
>IDENT or TAP services may be better than global closure at one point
>before the actual server.

I would prefer something like strong authentication and encryption (Kerberos,
SSL). It is still possible to spoof IP addresses and get around access
control systems like tcpd. And logging IDENT/TAP is pretty useless as well
considering most ident/tap systems allow you to set the username and therefore
lie.

Especially considering people can connect up to terminal servers with PPP
and most ISPs have terrible logging (or nonexistent logging) on their
terminal servers so this information becomes next to worthless.

I'd rather prevent someone from getting in the door in the first place,
rather than logging their attacks after they have been made.

Stuff like kerberos/SSL is nearly impossible to spoof. (Not 'impossible',
just 'nearly impossible' :-)

>> I think it's more important for MPE to have the capability of firewalling
>> than it is to have tcp wrappers.
>  Yes, but perimeter hostscan get behind firewalls, and without wrappers,
>you would not be able to determine who from which host attached to port
>number xxxx, correct?

If you have a proper firewall and proxy system you would not have to care.
They wouldn't be able to get to your system in the first place. (And if you
configured the proxy to log that information, you'd still have an 'audit
trail' although as I said before it would still be next to worthless.)

-Dan
.----------------------------------------------.
|Dan Hollis -- Pharmacy Computer Services, Inc.|
[log in to unmask]      -     (503)476-3139|
`----------------------------------------------'

ATOM RSS1 RSS2

RAVEN.UTC.EDU