In-Reply-To: <950420164316_90147841@aol.com>
Message-ID: 
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Content-Transfer-Encoding: QUOTED-PRINTABLE
Status: O
X-Status: 



On Thu, 20 Apr 1995 Hawkeye130@aol.com wrote:

> While sitting in on a committee meeting of reporters discussing setting u=
p
> connections to the Internet to use as a reference source, our MIS guy mad=
e a
> claim that I find hard to believe. I don't have the technical background =
to
> know if what he says is correct, so maybe those of you more technical-min=
ded
> folk on this list can answer it.

Your favorite internet guru at your service.

> He says that when one of our PCs on our internal (ethernet) network goes
> online, via a modem connection to an ISP, it opens up a way for someone o=
n
> the outside to get into our internal business network. I know there are
> legitimate security concerns if we had our own dedicated internet server =
on
> our network and that it served as our access point into the Internet. But=
 I
> thought that it was pretty much a one-way street if I log on thru an ISP =
via
> standard phone lines.

This is largely dependent on what TCP/IP software you are running.  Most,=
=20
such as trumpet only let you enable one interface at a time.  FTP=20
Associates and Frontier give you the option of turning IP routing on or=20
off.  With the Microsoft, Sun (PCNFS) or Novell, you should not use SLIP,=
=20
you should connect a router with a packet filter, directly to the=20
ethernet and turn on source filtering.

Unix machines are also best left not connected to the modems.  In fact,=20
any computer that can act as a server should be kept on the appropriate=20
side of the fire-wall.  This includes OS/2 and WindowsNT.  You are safer=20
with a CISCO router and Janus Fire-wall than you are with an X.25 or=20
Dial-Up terminal server link.

Any server on the outside of the firewall should have telnet, ping, and
rsh/rlogin disabled.  There are good books and documentation on how to=20
put security on to your system.

Another high risk venture is giveing dial-up access through terminal=20
servers or "BBS" software.  There are applications which can be up-loaded=
=20
into a multitasking operating system which will turn it into a PPP or=20
SLIP server and give internet access through the "back door".

The BEST way to protect a corporate lan is to use secured servers such as=
=20
kerberos and allow access exclusively through the internet into a single=20
fire-wall server.  Use netgroups, sub-netting, and packet-filtering to=20
put up additional tiers of fire-walls as needed.

You should turn on accounting and address logging to monitor all incoming=
=20
traffic.  If someone does break-in they will be easier to trace.  Don't=20
use clear-text passwords, use pcnfsd or kerberos or rpcauth for telnet=20
servers.  OSF/1 machines (IBM,DEC,HP,...) offer secure servers.

> Is it possible for someone on the Internet to hack their way thru my ISP'=
s ser
> ver, up my phone line and modem into my PC, and then be able to get at my
> network drive and into our mainframe system?

If you are running the right/wrong software, yes.
You should set up subnets and authentication schemes to protect yourself.
You can make sure that your system operators are alerted the second it=20
happens and that the intruder is apprehended.

Generally, the routing is "one way".  That is, I can specify your host as=
=20
a router from my machine to your mainframe, but the mainframe will not=20
consider your host a route back to my machine.  In addition, if you put=20
inbound packet filtering on your workstation's subnet, the router will=20
see the illegal address, kill the packet, and alert the operator.=20

> John Graham
> =93Money can' buy happiness; it can, however, rent it.=94

Rex Ballard.

From rballard@cnj.digex.net Tue May  2 18:00:37 1995