home *** CD-ROM | disk | FTP | other *** search
- Path: sparky!uunet!olivea!hal.com!decwrl!sdd.hp.com!think.com!spdcc!dyer
- From: dyer@spdcc.com (Steve Dyer)
- Newsgroups: comp.protocols.tcp-ip
- Subject: Re: Firewall usage (was: Re: ping works, but ftp/telnet get "no route)
- Message-ID: <1992Jul23.164314.4722@spdcc.com>
- Date: 23 Jul 92 16:43:14 GMT
- References: <BrruC8.FEo@spock.dis.cccd.edu> <BrsM1C.36v@cs.columbia.edu> <1992Jul23.142026.20112@sci34hub.sci.com>
- Organization: S.P. Dyer Computer Consulting, Cambridge MA
- Lines: 52
-
- I was always under the opinion that "firewalls" and "mailbridges" (as they
- were originally proposed for use when the ARPAnet and MILNET split) were a
- Bad Thing. To a certain extent I still agree. However, after my experience
- with this most recent Sun hacker/cracker who was meandering around the net
- a few months ago invading hundreds of Suns and Ultrix machines, I have a
- different opinion. I was in the unfortunate situation of being responsible
- for a group of Suns which were being invaded, and the loss of time and the
- disruption which the research group experienced due to this was more than
- annoying; it disrupted and sometimes destroyed real work. I was doing
- this strictly pro-bono in an informal capacity with a group I am associated
- with, but at least I'm pretty familiar with the kinds of problems there are.
- God help the burgeoning majority of workstation users who are totally
- ignorant of issues like security as it relates to networks.
-
- Listen, unless someone has a dedicated system manager who does nothing
- else, and is a security fiend, it is very difficult to be protected
- against someone who has infinite time, machine-like patience and an
- encyclopedic knowledge of existing security holes in the binary distributions
- of systems as shipped from companies like Sun. Oh, and did I mention Sun?
- These days, the situation is much more likely to be an autonomous
- researcher taking a commodity out of a box and plugging it into their
- institution's 10-Base-T connector in the wall. Their interests are not
- security; they've purchased this box to get their job done. You can't hand
- them a 20 page paper giving them instructions on how to FTP and then apply
- the 30 most recent program patches to their version of the OS, that is,
- once they've determined that patch #8 doesn't conflict with patch #1
- and if they haven't upgraded their OS and wiped out earlier patches which
- never got into subsequent commercial releases. And few sites are large
- enough and deem it important enough to provide support for this endeavor
- centrally.
-
- The creation of CERT was a good idea, but it's so far been mainly
- reactive. That's not a criticism, mind you--right now, that's a
- full time job as it is.
-
- I see the use of gateways and other technologies to provide a firewall
- as inevitable and, for some sites, essential to their use of internetworks
- today. It's not just big multi-billion companies worrying about the loss
- of trade secrets anymore, it's a matter of allowing unsophisticated users
- to get their work done without interference from some sociopath with too
- much time on his hands.
-
- There are some real structural problems here. Just one part of this
- is the attention to security in their distributed products by the OS
- vendors, which is remarkably lackluster. Of course, what do you expect
- when they don't warrant their software to actually DO anything anyway
- except take up space on a distribution medium? :-)
-
-
- --
- Steve Dyer
- dyer@ursa-major.spdcc.com aka {ima,harvard,rayssd,linus,m2c}!spdcc!dyer
-