Great Circle Associates Firewalls
(February 1994)

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Securing UUCP systems
From: plarkin @ iphase . com (Patrick Larkin Jr)
Date: Wed, 16 Feb 1994 14:12:58 -0600 (CST)
To: firewalls @ greatcircle . com
Reply-to: plarkin @ iphase . com

We are designing our firewall.  It will use a single login account which
administers the challenge-response authentication (user then can telnet
into whatever internal system he/she needs).  However, we are stuck with
a problem that I can not seem to resolve.  How does one keep a secure
firewall that allows people to use UUCP?  Ive thought and thought, but
about the only thing I can think of is this:

Bastion host contains the required UUCP logins with use the 'uucico'
for the shell and also contains the 'validator' account. It also 
has some number of modems.
Another system on the internal net has all user accounts and a uucppublic
directory.  In addition, this system contains some modems with NO GETTYs
running on them (They are outbound only). Users inside the net can uucp
or use 'tip' from this 'uucphost'.  All incoming UUCP is sent to the
bastion host which has the 'uucphost's uucppublic directory mounted 
via NFS.

The problems I see with this are that the bastion must have SOME idea
of who the recipient of a file is - I would prefer not to have to add
ANY accounts to passwd even if the shell were '/bin/false'. Next, it would
require that the bastion have enuff NFS smarts to mount that partition,
thus I dont know what other vulnerabilities I might encounter.

Is this the best solution for this?  What has anyone else done?
It seems a shame to build a firewall and then leave some modems 
hanging out in the breeze unprotected!
BTW - All interactive dial-in has been addressed seperately so 
the UUCP concern can be resolved without regard to interactive modems. 
| PATRICK LARKIN <plarkin @
 iphase .
 com> System Administrator, Interphase Corp. |
begin 644 plarkin.sig
M(" @(" @("!296QA>"XN+ @
 H@(" @(" @(" @(" @(" @1&]N)W0 @
L+BX*(" @(" @(" @(" @(" @(" @(" @(" @2&%V92!A($AO;65B<F5W(0HN

Indexed By Date Previous: Re: questions
From: johns @ oxygen . house . gov (John Schnizlein)
Next: questions
From: francis @ avalle . insoft . com (John [Francis] Stracke)
Indexed By Thread Previous: questions
From: francis @ avalle . insoft . com (John [Francis] Stracke)
Next: Securing UUCP systems
From: plarkin @ iphase . com (Patrick Larkin Jr)

Search Internet Search