Great Circle Associates Firewalls
(February 1994)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Securing UUCP systems
From: plarkin @ iphase . com (Patrick Larkin Jr)
Date: Wed, 23 Feb 94 09:05:01 CST
To: firewalls @ greatcircle . com

> We are designing our firewall.  It will use a single login account which
> administers the challenge-response authentication (user then can telnet
> into whatever internal system he/she needs).  However, we are stuck with
> a problem that I can not seem to resolve.  How does one keep a secure
> firewall that allows people to use UUCP?  Ive thought and thought, but
> about the only thing I can think of is this:
> 
> Bastion host contains the required UUCP logins with use the 'uucico'
> for the shell and also contains the 'validator' account. It also 
> has some number of modems.
> Another system on the internal net has all user accounts and a uucppublic
> directory.  In addition, this system contains some modems with NO GETTYs
> running on them (They are outbound only). Users inside the net can uucp
> or use 'tip' from this 'uucphost'.  All incoming UUCP is sent to the
> bastion host which has the 'uucphost's uucppublic directory mounted 
> via NFS.
> 
> The problems I see with this are that the bastion must have SOME idea
> of who the recipient of a file is - I would prefer not to have to add
> ANY accounts to passwd even if the shell were '/bin/false'. Next, it would
> require that the bastion have enuff NFS smarts to mount that partition,
> thus I dont know what other vulnerabilities I might encounter.
> 
> Is this the best solution for this?  What has anyone else done?
> It seems a shame to build a firewall and then leave some modems 
> hanging out in the breeze unprotected!
> BTW - All interactive dial-in has been addressed seperately so 
> the UUCP concern can be resolved without regard to interactive modems. 
> Thanks,

I posted the above message and got several responses (Thank you very much),
however, I believe I must have mis-represented my goals.  What I need to know
is how does one setup a UUCP Relay?  I am going to have some problems when
I implement the accountless bastion host.  Basically, I want several
internal systems to know about 1 particular system (also internal).  This
other system would be the only one to know about the bastion host and
the bastion host would only know him and outsiders.  I need in-bound
UUCP to pass thru the bastion onto the one internal host and I also
need my UUCP-only outbound News feeds, to pass from the internal
newshost to the uucphost which then passes it to the bastion
(or dials out on an outbound only modem pool [no gettys on modems
to internal hosts])

As you can see, the TCP portion of installing a firewall is pretty
straight forward for me, but the UUCP issues throw a real wrench
in the works.  If you can't help me directly, can you point me to 
a resource that addresses these?  (I already have and have read
the following O'Reilley books that seem kinda related: 
TCP/IP, Managing UUCP and Usenet, Practical Unix Security)

Thanks again.
-- 
 PATRICK LARKIN <plarkin @
 iphase .
 com> System Administrator, Interphase Corp. 
begin 644 plarkin.sig
M(" @(" @("!296QA>"XN+ @
 H@(" @(" @(" @(" @(" @1&]N)W0 @
 5V]R<GDN
L+BX*(" @(" @(" @(" @(" @(" @(" @(" @2&%V92!A($AO;65B<F5W(0HN
 
end

Indexed By Date Previous: DEC SEAL on SUN 4.1.3
From: Ann Weigold <aweigold @ world . std . com>
Next: Re: DEC SEAL on SUN 4.1.3
From: Frederick M Avolio <avolio @ tis . com>
Indexed By Thread Previous: Securing UUCP systems
From: plarkin @ iphase . com (Patrick Larkin Jr)
Next: /etc/hosts.equiv file
From: "Michael M. Pan" <pa96m @ ccwf . cc . utexas . edu>

Google
 
Search Internet Search www.greatcircle.com