Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > NFR Wizards> 1998

NFR Wizards Archive: Re: Inward telnet from insecure clients (w

Re: Inward telnet from insecure clients (was Re: Security Related Issues)

Paul D. Robertson (probertsclark.net)
Fri, 8 May 1998 20:44:38 -0400 (EDT)

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: tqbfsecnet.com: "Re: ODBC"
Previous message: Nick Drage: "Re: Blitzkrieg Server -- For Real?! ( LONG )"
In reply to: aragerMcGraw-Hill.com: "Blitzkrieg Server -- For Real?!"

On Wed, 6 May 1998, Bennett Todd wrote:

> I just had a thought. In a setting like this, how about rig the daemon
> to scan the client? Strobe[1] can run pretty quickly; don't let someone
> log in at all until you've completed a strobe against 'em. Then let 'em
> in, and commence an nmap[2] alongside to make sure there aren't any UDP
> ports open. After the first time they log in, make a note, and from then

No UDP ports open would pretty much kill any system using DNS ;)

> on let 'em in immediately --- but launch an nmap at the same time as you
> let 'em in, and if ever they fail one disable 'em until a hand reset.
>
> If a client isn't listening on any ports it can't be burgled over the
> net. Set the company policy that logins over the internet are only
> permitted from clients which themselves can't be easily burgled, which
> means they can't be listening for incoming connections.

Problem A:

Just because the client isn't listening to any ports on one
interface doesn't make it secure. More cable modem market penetration will
start to make this painfully obvious at some point.

Problem B:

Users will quickly figure out that a quick filter rule against the
strobing machine will allow them access much more quickly and won't upset
the Quake2 Deathmatch in progress.

> > Offer assistance at securing clients up to company spec.
>
> Combine something like this with ssh[3] and I think you could actually
> have a pretty safe inbound access from the internet.

Until disgruntaled former employee A helps current employee B who isn't
computer literate with his computer...

I still think "safe inbound access from the Internet" is an oxymoron.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
probertsclark.net which may have no basis whatsoever in fact."
PSB#9280

Next message: tqbfsecnet.com: "Re: ODBC"
Previous message: Nick Drage: "Re: Blitzkrieg Server -- For Real?! ( LONG )"
In reply to: aragerMcGraw-Hill.com: "Blitzkrieg Server -- For Real?!"

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:10:54 CDT