Great Circle Associates Firewalls
(April 1994)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Inbound telnet sessions.
From: "Rhett, Joe" <JRhett @ sextantgroup . com>
Date: Thu, 14 Apr 94 12:31:38 PST
To: Firewalls @ GreatCircle . COM

        
Have an interesting requirement. Have a network system with Internet 
connection. Blocking all connection attempts to any address except for
the FTP server. (Protocol Filtering Router)

One of the requirements is the ability for users to telnet to their 
workstations (Sun and SCO) from the Internet. This is currently allowed
by telneting to the FTP server, then telneting out from there.

This is relatively secure, as the number of accounts on that system is
strictly limited. Once there, you need to know an IP address to get out.

After giving users a shell and various and sundry attempts to limit that
shell, I have actually found it more secure to put telnet into their
home directory, and execute it as a shell instead. Without an underlying
shell, no shell functions can be performed, and the connection is dropped
when they log out of the remote system.

user:ashdfkja:1000:1000:Remote Access User:/home/user/telnet

2 Questions:

1 - Any user can use

> open xxx.xxx.xxx.xxx 25

        .. and telnet to the sendmail port on the Sun boxes. The security
here is performed at the Router and Firewall system, trying to leave the 
inner system alone. (Yah, I know that a single break and the whole system
is compromised but this is how it's being done...)
        -- Therefore, I'd like to find a way to kill that ability, and/or
replace telnet with something more limited.

2 - Is there anything else left open for attack?

BTW: The Router allows ICMP and DNS (port 53) data through. It allows
port 21,23,25 to go to the firewall (FTP,Telnet,SMTP) but disallows 
all other protocols under 1024, blocks the standard NFS and NIS ports,
as well as X-Window ports.


Follow-Ups:
Indexed By Date Previous: Re: Encrypted tunnels
From: lear @ yeager . corp . sgi . com (Eliot Lear)
Next: Re: Encrypted tunnels
From: smb @ research . att . com
Indexed By Thread Previous: Minor cosmetic fix for probe_tcp_ports.c on little endian machines
From: long-morrow @ CS . YALE . EDU (H Morrow Long)
Next: Re: Inbound telnet sessions.
From: Walker Aumann <walkera @ druggist . gg . caltech . edu>

Google
 
Search Internet Search www.greatcircle.com