Re: Firewalls and stuff (Was about N2H2)

[mark () NS1 LOONEY COM (Mark)]

> Hmmm ... are you allowing the workstations to SSH out?  If so, then the
> kiddles can port forward a local port and surf on a remote, public
> proxy.  If not, then how do you expect to do secure remote access?

Our current situation is that these are W*ndows machines running on a
Novell network.  The only access to the outside are through a handful of
Unix servers.  This makes off-site administration of the NetWare network
impossible at the moment the way things are set up.  Solutions are being
researched.  The first step is getting the NetWare network to a point
where it can be managed remotely within the organization.  That happens
this summer.

SSH is the method being used for remote administration of the Unix
servers.  However, at the moment, I'm the only one using it, and the only
one performing remote administration.  This will change as I continue to
educate my co-workers.

> Bottom line:  firewalls are UTTERLY USELESS at containing people on the
> inside.  If they wanna get out, they will.

This is probably true.  But they make things more challenging.

> The most vigorous example of this is Marcus Ranum's implementation of
> TCP/IP running on top of DNS requests.

Do you have any pointers to information about this?  It -sounds- like it's
some form of tunnel, which would requre something on another end to
support it.  But, I do confess that to be a wild guess :)

> You CANNOT block someone on the inside from communicating data with the
> outside.  It's fairly difficult just detecting such communication if
> they don't want you to find it.

Again, probably true.  Maybe not.  For the TCP/IP over DNS, a sudden surge
in DNS traffic would be suspicious.

But, we are a really slow, backwoods-type school system.  We do have a few
kid stars, but on the average, people here don't even know how to use a
computer, much less accomplish the above.  I am amazed (and ashamed) at
hearing of wonders happening in other school systems, and other areas of
the country, and looking at what we have.  For example, there was a post
on Slashdot (I think) about one high school science fair project that
demonstrated DNA steganography.  We are barely past the "build a volcano
and explain it" in high school science fairs.

(Btw, this increases the problem I have in convincing the PHB of the
importance of security)

That does not mean we don't have to worry about it.  It just means we
might have a fighting chance in the race.

mark