1 / 17

BSD Firewall

R. Les Cottrell <cottrell@slac.stanford.edu> Stanford Linear Accelerator Center (SLAC) Presented at SCS Technical Coordination Meeting July 22, 1998 www.slac.stanford.edu/grp/scs/net/talk/bsd-fw/. BSD Firewall. Introduction. Securing BSD SLAC is a requirement from Richter

india-carlson
Download Presentation

BSD Firewall

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. R. Les Cottrell <cottrell@slac.stanford.edu> Stanford Linear Accelerator Center (SLAC) Presented at SCS Technical Coordination Meeting July 22, 1998 www.slac.stanford.edu/grp/scs/net/talk/bsd-fw/ BSD Firewall uc.slac.stanford.edu/cottrell/slac/bsd-fw

  2. Introduction • Securing BSD SLAC is a requirement from Richter • Protect BSD without destroying open collaborative environment for most of SLAC • This meetings goals: • explain the current understanding & improve it • put forward some first steps • raise questions / concerns • prioritize and assign resources to address as appropriate uc.slac.stanford.edu/cottrell/slac/bsd-fw

  3. Possible Concept ADSM www-bis BSD ~200 hosts ISDN Purch Dev Web NTFS’ Plan PS BSD DNS’ NTP’ Sage DHCP SMS’ Firewall web-proxy sql*net DW ssh ssh Unix-admins Oracle/Parsley sql*net uc.slac.stanford.edu/cottrell/slac/bsd-fw

  4. Legend • Sage (Sun): Oracle server for BSD • Parsley (Sun): Oracle server for SLAC (e.g. CANDO) • Web-proxy (Sun or NT?): allows BSD folks to have a single way of getting to outside BSD web pages & thus allows blocking of most Web access. • ssh (Sun): allows single point of access to BSD for Unix logon thus allowing blocking of most ssh logons • DHCP (Sun): dynamic host configuration server needed if DHCP blocked • PS (NT): PeopleSoft server for BSD • SMS’ (NT), NTFS’ (NT): provides support for separate BSD NT domain • ISDN (Cisco): allows dialin access to BSD from home uc.slac.stanford.edu/cottrell/slac/bsd-fw

  5. Requirements Allow: time, smtp, http out, dns POP/IMAP telnet out of BSD ftp out of BSD [s] afs & Kerberos VPN? print adsm sql*net between PS & DW [s] snmp (need for monitoring) [s] Deny all others Block no mail gateways http in telnet into BSD ftp into BSD nfs, nis, tftp, bootp? r* NT network (135-139) hydra? X11 & XDMCP, finger DECnet, AppleTalk, NetWare uc.slac.stanford.edu/cottrell/slac/bsd-fw

  6. Firewall Requirements • Some of the services/protocols can be blocked with existing router ACLs, e.g. • nfs, r*, NT networking, telnet into BSD • To allow some services/protocols (ftp, sql*net) requires statefulness • i.e. open connection on well know port, then data flows on ephemeral ports, so when see well known port open up ephermeral ports for duration of session • we do not currently have a device that can do this uc.slac.stanford.edu/cottrell/slac/bsd-fw

  7. Possibilities • Move ~50 purchasers & planners into BSD, ~ $12K • Provide a router with ACLs (cannot be stateful) for BSD to block: • telnet in to BSD, r*, ftp in to BSD, NIS (via portmapper) • DECnet, IPX (does Flex server use this?), AppleTalk (only IP printers in BSD) • NT networking, ie.135-139 • Buy a firewall which supports stateful blocking [s] ~ $12K • Put all BSD on switches (avoid sniffing, can block snmp), cost ~ $45K uc.slac.stanford.edu/cottrell/slac/bsd-fw

  8. Questions - Services • How many BSD insiders need to telnet/ssh out? • How many BSD insiders need to ftp out • Can BSD insiders use afs instead of ftp? • Can we allow all simple TCP outbound access • simple means non stateful protocols • if so, then we may not need a Web proxy • Can all BSD insiders use an ssh IMAP/POP client? • Protect passwords in clear uc.slac.stanford.edu/cottrell/slac/bsd-fw

  9. Questions - BSD • Printers • Do printers inside need to be accessed from outside? • Do printers outside need to be accessed from inside? • How does NT print, is there an NT print server inside? • Where does Flex server go? • Do we have to block DHCP/BootP? • Do we need ISDN, if so how many? • Costly ($700/mo, $12K one time) if > than say 4 users • What about host stored passwords in shared homes? • Do these users already have ISDN? uc.slac.stanford.edu/cottrell/slac/bsd-fw

  10. Questions - BSD Policies/assumptions • Users do not install software (esp. off net or floppy) • Users do not accept Excel/Word enclosures with macros or: • is McAfee VirusScan good enough • do we need to check all mail at gateway ($20K) • No unregistered Web servers off port 80 • Assumptions, inside BSD: • no NCDs • no AppleTalk printers (laserwriters) • NIS turned off on all hosts in BSD uc.slac.stanford.edu/cottrell/slac/bsd-fw

  11. Questions - initial testing • Need to precisely define what protocols/services to block, in which direction and to & from where (IP address) • who decides & works with John Halperin? • Need to identify more precisely the impacts of blocking. • Who works with users to notify, educate, provide documentation & FAQs, consult, trouble-shoot, coordinate, schedule outages uc.slac.stanford.edu/cottrell/slac/bsd-fw

  12. Questions - What about NT • What are the plans & schedule for: • splitting the BSD domain off from the rest of SLAC • providing NTFS’ • the contacts are Andrea, Patrick, Jeff, Bill Johnson • etc.? • Do NT afs clients need ephermeral ports? • How does NT print, is there an NT print server inside? uc.slac.stanford.edu/cottrell/slac/bsd-fw

  13. Questions - NT & App admin access • Do Ian, Freddie, Frank, George etc. need to be inside firewall or outside or both • How many such people are there? • How do we identify them, & who is responsible for identifying them? • What are the possible solutions? uc.slac.stanford.edu/cottrell/slac/bsd-fw

  14. Questions - Web Servers • What are the plans for proxy • What is needed? • What is available? • Is it NT or Unix? • Is it a separate server & if so where? • When will it be ready? • Who is the contact person? • Is a separate server needed inside firewall to access PS? uc.slac.stanford.edu/cottrell/slac/bsd-fw

  15. Questions - Databases • What are plans for Parsley • When does it get installed? • What has to get moved to it etc.? • Ian reconfigures Sage • Database group is responsible for Development Web server. • Who is responsible for Web-proxy server? uc.slac.stanford.edu/cottrell/slac/bsd-fw

  16. Questions - Unix • When will Parsley be ready for Ian? • Who is responsible for the ssh server (do we need one)? • ADSM issues: • do Parsley & Sage backup to ADSM? • what protocols does it use? • Are there issues with administering Sage, DHCP, web-proxy with NFS, NIS etc. blocked? • How are inside accounts administered? uc.slac.stanford.edu/cottrell/slac/bsd-fw

  17. Actions • Get ssh ftp for evaluation • Get questions answered • Assign group to define initial simple blocks uc.slac.stanford.edu/cottrell/slac/bsd-fw

More Related