Great Circle Associates Firewalls
(February 1994)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: restricting Internet Access
From: hp90101 @ internet . sbi . com (Harry Protoolis)
Date: Tue, 8 Feb 94 13:00:45 GMT
To: Rens . Schipper @ rivm . nl
Cc: firewalls @ greatcircle . com

Rens,

We restrict all connections to the internet via our firewall. I think that
unless you control outgoing connections you do create a significant security
hole.

As an example one of the ways in which the recent sendmail hole was exploited
was by planting a program on your mailhost that would attempt to open
a connection to a remote, unfriendly, host. This would allow an attacker
onto your system from outside and the connection would appear to have
been initiated *from the inside*. This would have beaten many 'packet
filtering' based firewall schemes.

There is always a tradeoff to be made between ease of use and security, a
great deal depends on what you are trying to achieve.

Cheers,
Harry Protoolis		"Sons of the South, make a choice between ...
harry @
 london .
 sbil .
 co .
 uk	The land that belongs to the lord and the Queen
			And the land that belongs to you." - Henry Lawson
			(with apologies for the sexist language)


Indexed By Date Previous: restricting Internet Access
From: Rens . Schipper @ rivm . nl (Rens Schipper)
Next: Re: Two security issues
From: bdboyle @ maverick1 . erenj . com (Bryan D. Boyle)
Indexed By Thread Previous: Re: restricting Internet Access
From: Rens Troost <rens @ lorax . IMSI . COM>
Next: restricting Internet Access
From: richard @ wizard . ucs . sfu . ca (Richard Chycoski)

Google
 
Search Internet Search www.greatcircle.com