Xenophobic TCP gatewaying
John Nagle
nagle at well.sf.ca.us
Mon Oct 8 07:30:00 AEST 1990
turner at ksr.com (James M. Turner) writes:
>We're starting to look at the problem of securing a potential Internet
>gateway. Basically, the problem can be stated as such:
>We want to be able to accept incoming mail and news, and make FTP requests
>and logins to the net. Other than that, we don't want ANY incoming or
>outgoing traffic allowed. In addition, we want to have verified and
>absolutely secure versions of the daemons to be the ones we run. We also
>want to be able to make FTP requests from any machine on the local net,
>but DO NOT want any packet from the outside to be able to pass the gateway
>machine.
>Has anyone attacked this problem to date, and if so, what recommendations
>can you make?
Given your statement of the problem, the level of security you want to
achieve will be very difficult to reach. NSA has spent millions on that
problem. Check into the old ACAT/GUARD program at Logicon.
It's possible to restrict the packets which open TCP connections, but
under the set of restrictions you outline, the Morris worm still would
have gotten through, just as it got through the ARPANET/MILNET gateways,
which implement restrictions similar to the ones you outline.
If you're willing to disallow all actual connections through the gateway,
and just use it to forward mail and news, the problem becomes more
tractible. Someone still might find a way a way to crack the gateway
machine, though, since it's on the Internet. A more secure approach would
involve two machines, one on the Internet and one on your internal net,
interconnected by a dumb serial link used to send mail and news in a
simple format with as little control information as possible.
John Nagle
More information about the Comp.sys.sun
mailing list