Inward telnet from insecure clients (was Re: Security Related Issues)

From: Bennett Todd (betat_private)
Date: Wed May 06 1998 - 04:12:26 PDT

  • Next message: Kirkilis, John: "Java Sockets and Firewalls"

    1998-05-05-14:37:51 Jim Leo:
    > We have our firewall in place, and issued 'smartcard' to those
    > individuals [ running self-administered ("uncontrolled") win95 ] that
    > require access to hosts inside the 'protected' zone.
    
    I just had a thought. In a setting like this, how about rig the daemon
    to scan the client? Strobe[1] can run pretty quickly; don't let someone
    log in at all until you've completed a strobe against 'em. Then let 'em
    in, and commence an nmap[2] alongside to make sure there aren't any UDP
    ports open. After the first time they log in, make a note, and from then
    on let 'em in immediately --- but launch an nmap at the same time as you
    let 'em in, and if ever they fail one disable 'em until a hand reset.
    
    If a client isn't listening on any ports it can't be burgled over the
    net. Set the company policy that logins over the internet are only
    permitted from clients which themselves can't be easily burgled, which
    means they can't be listening for incoming connections.
    
    Offer assistance at securing clients up to company spec.
    
    Combine something like this with ssh[3] and I think you could actually
    have a pretty safe inbound access from the internet.
    
    -Bennett
    
    [1] <URL:ftp://suburbia.net/pub/strobe.tgz>
    [2] <URL:http://www.dhp.com/~fyodor/nmap/>
    [3] <URL:http://www.cs.hut.fi/ssh/>
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:58:26 PDT