Newsgroups: comp.unix.ultrix
Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!caen!ox.com!ox.com!emv
From: emv@ox.com (Ed Vielmetti)
Subject: Re: Internet security?
In-Reply-To: mogul@pa.dec.com's message of Thu, 18 Apr 91 01:05:03 GMT
Message-ID: <EMV.91Apr18000404@poe.aa.ox.com>
Sender: usenet@ox.com (Usenet News Administrator)
Organization: OTA Limited Partnership, Ann Arbor MI.
References: <JEW.91Apr12104732@rt.sunquest.com>
	<1991Apr18.010503.28085@pa.dec.com>
Date: Thu, 18 Apr 1991 04:04:06 GMT

In article <1991Apr18.010503.28085@pa.dec.com> mogul@pa.dec.com (Jeffrey Mogul) writes:

   Not precisely the same thing, but Ultrix 4.2 will include the "screend"
   program.  If you use an Ultrix system as a router, screend will allow
   you to control access at the router (instead of at the end system).  This
   is more convenient when you are dealing with a large collection of hosts
   that have to be protected.

   For more information, see my paper in Proc. USENIX Summer '89, or wait
   for the documentation on the Ultrix 4.2 kit.

I would bet that the software in
	decuac.dec.com:/public/sources/screend.tar.Z 
would give you a taste of what's in 4.2, though from looking at the
package it's a beta version rather than final product.  

If you don't have the USENIX Summer '89 proceedings, the papers in
this package (or at least the preprint is).  It would appear that it
might also be available by mail to "wrl-techreports@decwrl.dec.com";
send a message with the subject "help" for more instructions.  The
paper is "Simple and Flexible Datagram Access Controls for Unix-based
Gateways", March 1989.

Note that port-based router security doesn't help you anything if you
have evil people on the inside connecting to their accomplices
outside; even the most innocuous of "well-known ports" can be hijacked
to use to tunnel datagrams through.  I don't recall the exact
reference, but I believe something along these lines was presented at
a Usenix by some Bell Labs folks, the name "greyer" (instead of
"blacker") comes to mind.

-- 
 Msen	Edward Vielmetti
/|---	moderator, comp.archives
	emv@msen.com

"With all of the attention and publicity focused on gigabit networks,
not much notice has been given to small and largely unfunded research
efforts which are studying innovative approaches for dealing with
technical issues within the constraints of economic science."  
							RFC 1216


