Firewall Wizards mailing list archives
Inward telnet from insecure clients (was Re: Security Related Issues)
From: Bennett Todd <bet () rahul net>
Date: Wed, 6 May 1998 04:12:26 -0700
1998-05-05-14:37:51 Jim Leo:
We have our firewall in place, and issued 'smartcard' to those individuals [ running self-administered ("uncontrolled") win95 ] that require access to hosts inside the 'protected' zone.
I just had a thought. In a setting like this, how about rig the daemon to scan the client? Strobe[1] can run pretty quickly; don't let someone log in at all until you've completed a strobe against 'em. Then let 'em in, and commence an nmap[2] alongside to make sure there aren't any UDP ports open. After the first time they log in, make a note, and from then on let 'em in immediately --- but launch an nmap at the same time as you let 'em in, and if ever they fail one disable 'em until a hand reset. If a client isn't listening on any ports it can't be burgled over the net. Set the company policy that logins over the internet are only permitted from clients which themselves can't be easily burgled, which means they can't be listening for incoming connections. Offer assistance at securing clients up to company spec. Combine something like this with ssh[3] and I think you could actually have a pretty safe inbound access from the internet. -Bennett [1] <URL:ftp://suburbia.net/pub/strobe.tgz> [2] <URL:http://www.dhp.com/~fyodor/nmap/> [3] <URL:http://www.cs.hut.fi/ssh/>
Current thread:
- Security Related Issues Jim Leo (May 05)
- Inward telnet from insecure clients (was Re: Security Related Issues) Bennett Todd (May 07)
- Re: Inward telnet from insecure clients (was Re: Security Related Issues) Paul D. Robertson (May 09)
- Inward telnet from insecure clients (was Re: Security Related Issues) Bennett Todd (May 07)