Xenophobic TCP gatewaying
Lars Poulsen
lars at spectrum.cmc.com
Mon Oct 8 07:30:00 AEST 1990
In article <1990Sep20.203310.373 at rice.edu> turner at ksr.com (James M. Turner) writes:
>We're starting to look at the problem of securing a potential Internet
>gateway. Basically, the problem can be stated as such:
>
>We want to be able to accept incoming mail and news, and make FTP requests
>and logins to the net. Other than that, we don't want ANY incoming or
>outgoing traffic allowed. In addition, we want to have verified and
>absolutely secure versions of the daemons to be the ones we run. We also
>want to be able to make FTP requests from any machine on the local net,
>but DO NOT want any packet from the outside to be able to pass the gateway
>machine.
We do it in a two-step:
(1) Our connection to the outside world is a non-programmable IP
router with an ethernet plug on one side, and an X.25 connection
to the local NSF-regional on the other side.
This router is told to discard any packets with an ethernet IP
address other than that of our "logical gateway" (see below).
In our instance, the physical gateway is our own DRN-3200,
but many ULANA compliant IP routers have such security filters.
(2) The logical gateway is a Sun 3/50 which does not participate in
Yellow pages, and does not import any filesystems. It does, however,
export some file systems, such as /usr/news, RFC repositories,
etc.
(3) The logical gateway may be trusted by any other hosts on the site.
The logical gateway may trust any other hosts it cares to.
We believe this to be simpler and safer than putting network connections
on the largest fileserver around, and then trying to secure it. Since
security and convenience are obviously opposites, each site must make its
own tradeoffs.
/ Lars Poulsen, SMTS Software Engineer
CMC Rockwell lars at CMC.COM
More information about the Comp.sys.sun
mailing list