bsd firewall

04/19/23 uc.slac.stanford.edu/cottrell/slac/bsd-fw

1

BSD FirewallBSD Firewall

R. Les Cottrell<[email protected]>

Stanford Linear Accelerator Center (SLAC)

Presented at SCS Technical Coordination Meeting July 22, 1998

www.slac.stanford.edu/grp/scs/net/talk/bsd-fw/

http://www.slac.stanford.edu/grp/scs/net/talk/bsd-fw/















04/19/23 uc.slac.stanford.edu/cottrell/slac/bsd-fw 2

Introduction Securing BSD SLAC is a requirement from Richter

– Protect BSD without destroying open collaborative environment for most of SLAC

This meetings goals: explain the current understanding & improve it put forward some first steps raise questions / concerns prioritize and assign resources to address as appropriate


Possible Concept

BSD ~200 hosts

NTFS’

DHCP

FirewallSMS’

DW

PlanPurchISDN

BSD

ssh

ADSM

www-bis

sql*net

sql*netOracle/Parsley

Sage

web-proxy

PSDev Web

ssh Unix-admins

DNS’NTP’


Legend Sage (Sun): Oracle server for BSD Parsley (Sun): Oracle server for SLAC (e.g. CANDO) Web-proxy (Sun or NT?): allows BSD folks to have a single way of

getting to outside BSD web pages & thus allows blocking of most Web access.

ssh (Sun): allows single point of access to BSD for Unix logon thus allowing blocking of most ssh logons

DHCP (Sun): dynamic host configuration server needed if DHCP blocked

PS (NT): PeopleSoft server for BSD SMS’ (NT), NTFS’ (NT): provides support for separate BSD NT

domain ISDN (Cisco): allows dialin access to BSD from home


Requirements Allow:

– time, smtp, http out, dns

– POP/IMAP

– telnet out of BSD

– ftp out of BSD [s]

– afs & Kerberos

– VPN?

– print

– adsm

– sql*net between PS & DW [s]

– snmp (need for monitoring) [s]

– Deny all others

Block– no mail gateways

– http in

– telnet into BSD

– ftp into BSD

– nfs, nis, tftp, bootp?

– r*

– NT network (135-139)

– hydra?

– X11 & XDMCP, finger

– DECnet, AppleTalk, NetWare


Firewall Requirements Some of the services/protocols can be blocked with

existing router ACLs, e.g.– nfs, r*, NT networking, telnet into BSD

To allow some services/protocols (ftp, sql*net) requires statefulness– i.e. open connection on well know port, then data flows

on ephemeral ports, so when see well known port open up ephermeral ports for duration of session

– we do not currently have a device that can do this


Possibilities Move ~50 purchasers & planners into BSD, ~ $12K Provide a router with ACLs (cannot be stateful) for

BSD to block:– telnet in to BSD, r*, ftp in to BSD, NIS (via portmapper)– DECnet, IPX (does Flex server use this?), AppleTalk

(only IP printers in BSD)– NT networking, ie.135-139

Buy a firewall which supports stateful blocking [s] ~ $12K

Put all BSD on switches (avoid sniffing, can block snmp), cost ~ $45K


Questions - Services How many BSD insiders need to telnet/ssh out? How many BSD insiders need to ftp out Can BSD insiders use afs instead of ftp? Can we allow all simple TCP outbound access

– simple means non stateful protocols– if so, then we may not need a Web proxy

Can all BSD insiders use an ssh IMAP/POP client?– Protect passwords in clear


Questions - BSD Printers

– Do printers inside need to be accessed from outside?– Do printers outside need to be accessed from inside?– How does NT print, is there an NT print server inside?

Where does Flex server go? Do we have to block DHCP/BootP? Do we need ISDN, if so how many?

– Costly ($700/mo, $12K one time) if > than say 4 users– What about host stored passwords in shared homes?– Do these users already have ISDN?


Questions - BSD Policies/assumptions Users do not install software (esp. off net or floppy) Users do not accept Excel/Word enclosures with

macros or:– is McAfee VirusScan good enough– do we need to check all mail at gateway ($20K)

No unregistered Web servers off port 80 Assumptions, inside BSD:

– no NCDs– no AppleTalk printers (laserwriters)– NIS turned off on all hosts in BSD


Questions - initial testing Need to precisely define what protocols/services to

block, in which direction and to & from where (IP address)– who decides & works with John Halperin?

Need to identify more precisely the impacts of blocking.

Who works with users to notify, educate, provide documentation & FAQs, consult, trouble-shoot, coordinate, schedule outages


Questions - What about NT What are the plans & schedule for:

– splitting the BSD domain off from the rest of SLAC– providing NTFS’– the contacts are Andrea, Patrick, Jeff, Bill Johnson – etc.?

Do NT afs clients need ephermeral ports? How does NT print, is there an NT print server

inside?


Questions - NT & App admin access

Do Ian, Freddie, Frank, George etc. need to be inside firewall or outside or both– How many such people are there?– How do we identify them, & who is responsible for

identifying them?– What are the possible solutions?


Questions - Web Servers What are the plans for proxy

– What is needed?– What is available?– Is it NT or Unix?– Is it a separate server & if so where?– When will it be ready?– Who is the contact person?

Is a separate server needed inside firewall to access PS?


Questions - Databases What are plans for Parsley

– When does it get installed?– What has to get moved to it etc.?– Ian reconfigures Sage

Database group is responsible for Development Web server.

Who is responsible for Web-proxy server?


Questions - Unix When will Parsley be ready for Ian? Who is responsible for the ssh server (do we need

one)? ADSM issues:

– do Parsley & Sage backup to ADSM?– what protocols does it use?

Are there issues with administering Sage, DHCP, web-proxy with NFS, NIS etc. blocked?– How are inside accounts administered?


Actions Get ssh ftp for evaluation Get questions answered Assign group to define initial simple blocks

bsd firewall

Documents

bsd slac

richterprotect bsd

bsd folks

bsd firewallr

outcan bsd insiders

bsd safs kerberosvpn

outside bsd web pages

nt print server