bsd firewall
DESCRIPTION
R. Les Cottrell Stanford Linear Accelerator Center (SLAC) Presented at SCS Technical Coordination Meeting July 22, 1998 www.slac.stanford.edu/grp/scs/net/talk/bsd-fw/. BSD Firewall. Introduction. Securing BSD SLAC is a requirement from Richter - PowerPoint PPT PresentationTRANSCRIPT
04/19/23 uc.slac.stanford.edu/cottrell/slac/bsd-fw
1
BSD FirewallBSD Firewall
R. Les Cottrell<[email protected]>
Stanford Linear Accelerator Center (SLAC)
Presented at SCS Technical Coordination Meeting July 22, 1998
www.slac.stanford.edu/grp/scs/net/talk/bsd-fw/
04/19/23 uc.slac.stanford.edu/cottrell/slac/bsd-fw 2
Introduction Securing BSD SLAC is a requirement from Richter
– Protect BSD without destroying open collaborative environment for most of SLAC
This meetings goals: explain the current understanding & improve it put forward some first steps raise questions / concerns prioritize and assign resources to address as appropriate
04/19/23 uc.slac.stanford.edu/cottrell/slac/bsd-fw 3
Possible Concept
BSD ~200 hosts
NTFS’
DHCP
FirewallSMS’
DW
PlanPurchISDN
BSD
ssh
ADSM
www-bis
sql*net
sql*netOracle/Parsley
Sage
web-proxy
PSDev Web
ssh Unix-admins
DNS’NTP’
04/19/23 uc.slac.stanford.edu/cottrell/slac/bsd-fw 4
Legend Sage (Sun): Oracle server for BSD Parsley (Sun): Oracle server for SLAC (e.g. CANDO) Web-proxy (Sun or NT?): allows BSD folks to have a single way of
getting to outside BSD web pages & thus allows blocking of most Web access.
ssh (Sun): allows single point of access to BSD for Unix logon thus allowing blocking of most ssh logons
DHCP (Sun): dynamic host configuration server needed if DHCP blocked
PS (NT): PeopleSoft server for BSD SMS’ (NT), NTFS’ (NT): provides support for separate BSD NT
domain ISDN (Cisco): allows dialin access to BSD from home
04/19/23 uc.slac.stanford.edu/cottrell/slac/bsd-fw 5
Requirements Allow:
– time, smtp, http out, dns
– POP/IMAP
– telnet out of BSD
– ftp out of BSD [s]
– afs & Kerberos
– VPN?
– adsm
– sql*net between PS & DW [s]
– snmp (need for monitoring) [s]
– Deny all others
Block– no mail gateways
– http in
– telnet into BSD
– ftp into BSD
– nfs, nis, tftp, bootp?
– r*
– NT network (135-139)
– hydra?
– X11 & XDMCP, finger
– DECnet, AppleTalk, NetWare
04/19/23 uc.slac.stanford.edu/cottrell/slac/bsd-fw 6
Firewall Requirements Some of the services/protocols can be blocked with
existing router ACLs, e.g.– nfs, r*, NT networking, telnet into BSD
To allow some services/protocols (ftp, sql*net) requires statefulness– i.e. open connection on well know port, then data flows
on ephemeral ports, so when see well known port open up ephermeral ports for duration of session
– we do not currently have a device that can do this
04/19/23 uc.slac.stanford.edu/cottrell/slac/bsd-fw 7
Possibilities Move ~50 purchasers & planners into BSD, ~ $12K Provide a router with ACLs (cannot be stateful) for
BSD to block:– telnet in to BSD, r*, ftp in to BSD, NIS (via portmapper)– DECnet, IPX (does Flex server use this?), AppleTalk
(only IP printers in BSD)– NT networking, ie.135-139
Buy a firewall which supports stateful blocking [s] ~ $12K
Put all BSD on switches (avoid sniffing, can block snmp), cost ~ $45K
04/19/23 uc.slac.stanford.edu/cottrell/slac/bsd-fw 8
Questions - Services How many BSD insiders need to telnet/ssh out? How many BSD insiders need to ftp out Can BSD insiders use afs instead of ftp? Can we allow all simple TCP outbound access
– simple means non stateful protocols– if so, then we may not need a Web proxy
Can all BSD insiders use an ssh IMAP/POP client?– Protect passwords in clear
04/19/23 uc.slac.stanford.edu/cottrell/slac/bsd-fw 9
Questions - BSD Printers
– Do printers inside need to be accessed from outside?– Do printers outside need to be accessed from inside?– How does NT print, is there an NT print server inside?
Where does Flex server go? Do we have to block DHCP/BootP? Do we need ISDN, if so how many?
– Costly ($700/mo, $12K one time) if > than say 4 users– What about host stored passwords in shared homes?– Do these users already have ISDN?
04/19/23 uc.slac.stanford.edu/cottrell/slac/bsd-fw 10
Questions - BSD Policies/assumptions Users do not install software (esp. off net or floppy) Users do not accept Excel/Word enclosures with
macros or:– is McAfee VirusScan good enough– do we need to check all mail at gateway ($20K)
No unregistered Web servers off port 80 Assumptions, inside BSD:
– no NCDs– no AppleTalk printers (laserwriters)– NIS turned off on all hosts in BSD
04/19/23 uc.slac.stanford.edu/cottrell/slac/bsd-fw 11
Questions - initial testing Need to precisely define what protocols/services to
block, in which direction and to & from where (IP address)– who decides & works with John Halperin?
Need to identify more precisely the impacts of blocking.
Who works with users to notify, educate, provide documentation & FAQs, consult, trouble-shoot, coordinate, schedule outages
04/19/23 uc.slac.stanford.edu/cottrell/slac/bsd-fw 12
Questions - What about NT What are the plans & schedule for:
– splitting the BSD domain off from the rest of SLAC– providing NTFS’– the contacts are Andrea, Patrick, Jeff, Bill Johnson – etc.?
Do NT afs clients need ephermeral ports? How does NT print, is there an NT print server
inside?
04/19/23 uc.slac.stanford.edu/cottrell/slac/bsd-fw 13
Questions - NT & App admin access
Do Ian, Freddie, Frank, George etc. need to be inside firewall or outside or both– How many such people are there?– How do we identify them, & who is responsible for
identifying them?– What are the possible solutions?
04/19/23 uc.slac.stanford.edu/cottrell/slac/bsd-fw 14
Questions - Web Servers What are the plans for proxy
– What is needed?– What is available?– Is it NT or Unix?– Is it a separate server & if so where?– When will it be ready?– Who is the contact person?
Is a separate server needed inside firewall to access PS?
04/19/23 uc.slac.stanford.edu/cottrell/slac/bsd-fw 15
Questions - Databases What are plans for Parsley
– When does it get installed?– What has to get moved to it etc.?– Ian reconfigures Sage
Database group is responsible for Development Web server.
Who is responsible for Web-proxy server?
04/19/23 uc.slac.stanford.edu/cottrell/slac/bsd-fw 16
Questions - Unix When will Parsley be ready for Ian? Who is responsible for the ssh server (do we need
one)? ADSM issues:
– do Parsley & Sage backup to ADSM?– what protocols does it use?
Are there issues with administering Sage, DHCP, web-proxy with NFS, NIS etc. blocked?– How are inside accounts administered?