LISTSERV - HP3000-L Archives

HP3000-L Archives

April 1996, Week 3

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L April 1996, Week 3

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Internet HP3000 security issues
From:	Daniel Kosack <[log in to unmask]>
Reply To:	Daniel Kosack <[log in to unmask]>
Date:	Fri, 19 Apr 1996 19:16:03 -0400
Content-Type:	text/plain
Parts/Attachments:	text/plain (41 lines)

On Fri, 19 Apr 1996, Alan AMBERS wrote:

> I looked at this page and think that this concept would work.  Since all
> inbound traffic from the internet has one address (via our security
> stuff), The system wide logon could be set up to disallow any logon
> except the valid Library access.  And on our other systems, the logon
> UDC can be set up to disallow *ANY* logon from this address since we
> would not want to allow anyone from the outside to any of our other
> systems.

  Why not just remove these other systems from the network?  It is
possible to go from one system to the other if you've forgotten
something, esp. if the perpitrator is already behind the firewall.  You
could set up 2 different networks or, if you must have all systems on one
net, just establish a second firewall between PAS and the secure
network.  Be sure that you drop source routed frames and source IP addresses;
they can be a real pain on a network.  Most routers drop source routed
frames, but not source IPs.  If there are any UNIX systems (esp. out of
the box ones running any sort of promiscuous mode Ethernet support) on
the network, you are dead in the water and the hacker could remain on the
system for weeks, even months without you even knowing your security was
compromised.  If the hacker can get to a network interface tap on a UNIX
machine, then the hacker could easily read all network traffic to his/her
little heart's content.  Having a PAS on the same tier as everything else
is very risky, IMHO.

  I wouldn't trust Sailor for any amount of money.  To allow incoming
from public access systems right through the firewall is a weee bit
scary.  Dan Hollis mentioned in an earlier "thread" that authentication
is the best means of access across WANs.  If you have clients coming
across any unknown or uncertain network, it is quite feasible to use some
sort of RSA encryption (Kerberos IV supposedly has blaring hole).  If you
have anyone logging in on sensitive machine with username and password in
clear text across
the net, that can be very dangerous.  You don't know if someone along the
way (or if someone has broken into an upstream system) is sniffing your
packets, and a clear password is bad.

Daniel Kosack  -<[ Danny Boy ]>-
[log in to unmask]

ATOM RSS1 RSS2

RAVEN.UTC.EDU