T.R | Title | User | Personal Name | Date | Lines |
---|
4647.1 | | QUARK::LIONEL | Free advice is worth every cent | Fri May 02 1997 18:08 | 5 |
| No - you have always needed a crypto-key and authorization to do PUTs through
the gateway. If you managed to do it without a key, I'm sure the gateway
admins would like to know about it.
Steve
|
4647.2 | Then any other way? | MQOOA::LEDOUX | Vincent Ledoux@mail.dec.com | Fri May 02 1997 20:21 | 31 |
| I do remember when I was VMS support a long time ago
to have transfered patches directly to customer sites.
That may be a few years ago, but I am sure I did it.
I was using the colorado site, although I do not remember
the exact details.
But what is the security issue to PUT files to customer site?
I can understand the customer getting access internaly, but
fail to see the security issue outbound.
Besides the point...
Is there any other way to do it?
Will I have to waste 2 hours to go to the office,
trying to get approval to have access to a system/tape drive
(add another few hours) copy the file to a $50 tape (add
an couple hours to find a media), have it sent to the customer
fedex ($50).
Can this company still afford to waste that much money?
If anyone has a solution, let me know.
Mailing it is not feasable as the customer e-mail will not accept
e-mail more than 6 MB. The file is over that limit, and very
hard to break in pieces.
Thanks,
Vince.
|
4647.3 | | QUARK::LIONEL | Free advice is worth every cent | Fri May 02 1997 20:46 | 9 |
| The security issue is that they don't want someone who manages to get into
Digital's network to easily copy Digital's product sources or other
proprietary information outside the company. If you have a regular need to
"put" files, then apply for a cryptokey and use it. There is an initial
charge plus a yearly fee. I have one and use it regularly.
http://wrl-www.pa.dec.com/wrl/compute/guard/guard.html
Steve
|
4647.4 | Re: 530 Operation denied by FTP gateway on outgoing copy | QUABBI::"stuart@nsl-too.pa.dec.com" | Stephen Stuart | Fri May 02 1997 21:03 | 15 |
| Vincent -- DTN 632-7908 (v_ledoux@kaofs.enet.dec.com) wrote:
: Title: 530 Operation denied by FTP gateway on outgoing copy
: Is there a new procedure?
If you are using PA or CRL, the procedure has always required that you
use a cryptokey to authenticate yourself.
Stephen
--
- -----
Stephen Stuart stuart@pa.dec.com
Network Systems Laboratory
Digital Equipment Corporation
[posted by Notes-News gateway]
|
4647.5 | It did use to work! | KAOFS::V_LEDOUX | Vincent -- DTN 632-7908 | Fri May 02 1997 21:55 | 50 |
| I found the original information I used "when" this was working.
Below is the mail...
It does say: FTP files "to" and "from" the remote site...
If someone wants to send "internal use only" out, he can
always e-mail it. I will have to do that, but I will
spend hours to break the file in multiple file, and the
customer will have to reconstruct it at the other end.
I believe it is a waste of time, non-professional for
a false-security issue.
Thanks for your prompt answer, anyway.
From: TSC::"mst%whtice.service.digital.com@deccxo" 18-APR-1995
16:05:12.74
To: n_pirollo%kaofs.dnet.digital.com@whtice.service.digital.com
CC:
Subj: How to ftp a file thru colorado.service.digital.com
To ftp a file "thru" colorado you need to do the following:
1. From the machine you are on type,
ftp colorado.service.digital.com 1555
It will present a screen asking for username @ hostname,
2. You'll need to supply a username on the host you are
trying to move the file to, or from. This would be
something you get, in advance from the customer.
3. It will then ask for a password, also obtained from the
customer, to go with the username and hostname. You enter
this at the password prompt.
4. At this point you are signed onto the customer system via
FTP. You can use standard FTP commands like GET and PUT
to copy from, or copy to, the files your working with.
Hope that helps,
Jack Callaghan
Mike Temkin
Commercial Internet Services
|
4647.6 | Re: 530 Operation denied by FTP gateway on outgoing copy | QUABBI::"stuart@nsl-too.pa.dec.com" | Stephen Stuart | Fri May 02 1997 23:03 | 18 |
| Vincent -- DTN 632-7908 (v_ledoux@kaofs.enet.dec.com) wrote:
: Title: 530 Operation denied by FTP gateway on outgoing copy
: Reply Title: It did use to work!
: I believe it is a waste of time, non-professional for
: a false-security issue.
You are free to believe what you like.
If you want to pursue this with the people who set the policies, send
mail to <ip-exarc@pa.dec.com>.
Stephen
- -----
Stephen Stuart stuart@pa.dec.com
Network Systems Laboratory
Digital Equipment Corporation
[posted by Notes-News gateway]
|
4647.7 | Re: 530 Operation denied by FTP gateway on outgoing copy | QUABBI::"flaherty@pago-pago.pa.dec.com" | Paul Flaherty | Sat May 03 1997 00:53 | 21 |
| Vincent -- DTN 632-7908 (v_ledoux@kaofs.enet.dec.com) wrote:
> I believe it is a waste of time, non-professional for
> a false-security issue.
If Digital were to allow non-authenticated outgoing ftp, it would defeat the
purpose of having a firewall, to protect the intellectual property of the
corporation. The purpose of the cryptokey is to prove to the
firewall that you have the authority as a Digital employee to export the
intellectual property in question. The process itself takes less than ten
seconds, so it's hardly a burden or cumbersome. The keys themselves are
relatively easy to get, so if there's a chance you'll need one in the future,
you should consider having your organisation request one as a policy.
Should you still believe that this is a false security issue, I'd encourage
you to read the conviction history of Kevin Mitnick.
--
-=Paul Flaherty, N9FZX | "Just name a hero, and I'll prove he's a bum."
->flaherty@pa.dec.com | -- Col. Gregory "Pappy" Boyington
[posted by Notes-News gateway]
|
4647.8 | Note: lower case - I'm NOT yelling | PCBUOA::BAYJ | Jim, Portables | Mon May 05 1997 17:58 | 44 |
| Well, hate to jump on a stump, but...
It is *not* at all convenient or simple to have to order a $250 device
just to be able to use 50% of the capability of FTP. If you are of the
opinion implied by .7, that any legitimate employee has the privilege
and authority to push files, you are talking about 50,000 * $250 = $12
million dollars to quote-insure-unquote the "security" that someone has
to use mail instead of FTP to send out files.
And this doesn't factor in the infrastructure needed to support this
gateway system. It took me weeks to finally get a working set-up, and
the whole time I had the very strong impression that the support for
this effort is underfunded, understaffed, and at least somewhat casual.
Every message was certain to mention that each step of the process
would be taken "in good time" (to paraphrase) with no certainly of
precise completion times. There is no way that even a percentage of
DEC employees could be issued cryptokeys without breaking this process.
But that won't happen, because most cost center managers are going to
want to see a demonstrated need for a given employee to exercise his
"privilege", and the idea of everyone in a group having one, or
everyone getting one by default on their start date is ludicrous.
You can say what you will, but there has always been the tangible
"impression" that crypto-keys are for the elite few. And no one has
been doing anything to dispel that idea.
Requiring every employee to get a $250 device so they can do what
probably 90% of all the employees at every internet-connected company
in the world can do is pretty braindead.
BTW, you mention Mitnick. Well, that name always comes up regarding
security. He stole the VMS sources. If that is the best argument for
security you can come up with in these days and times, I'm not
convinced.
Corporate security is important. Vital. I don't question that at all.
I seriously question whether limiting push capability has anything
whatsoever to do with that.
The VMS paranoia days are over. Its time to join the 20th century.
jeb
|
4647.9 | | LGP30::FLEISCHER | without vision the people perish (DTN 381-0426 ZKO1-1) | Mon May 05 1997 19:00 | 5 |
| re Note 4647.8 by PCBUOA::BAYJ:
Very well put.
Bob
|
4647.10 | | axel.zko.dec.com::FOLEY | http://axel.zko.dec.com | Mon May 05 1997 20:09 | 8 |
|
One would hope that the days when our badges can become
Smart Cards are close at hand. With the simple use of a
3.5" floppy-to-SmartCard adaptor, we could solve problems
like this fairly easily.
mike
|
4647.11 | Re: 530 Operation denied by FTP gateway on outgoing copy | QUABBI::"stuart@nsl-too.pa.dec.com" | Stephen Stuart | Tue May 06 1997 04:13 | 29 |
| Jim, Portables (bayj@pcbuoa.enet.dec.com) wrote:
: Title: 530 Operation denied by FTP gateway on outgoing copy
: Reply Title: Note: lower case - I'm NOT yelling
I'm not yelling either.
: Corporate security is important. Vital. I don't question that at all.
: I seriously question whether limiting push capability has anything
: whatsoever to do with that.
:
: The VMS paranoia days are over. Its time to join the 20th century.
You can post as elegant a supporting argument for your position as you
like, and you will accomplish nothing of any substance, except
whatever warm feeling you get from having said something. We're all
happy to go down the garden path with you, as a topic or keyword
search or whatever will show you. A lot of us know it quite well.
If you want your commentary to be heard by people who have more to
offer than just a sympathetic ear, then SEND MAIL to the people who
make policy. We maintain an alias for them, <ip-exarc@pa.dec.com>
(although none of them are Palo Alto people).
Stephen
- -----
Stephen Stuart stuart@pa.dec.com
Network Systems Laboratory
Digital Equipment Corporation
[posted by Notes-News gateway]
|
4647.12 | re:"The VMS paranoia days are over. Its time to join the 20th century."
| TWICK::PETTENGILL | mulp | Thu May 08 1997 05:57 | 15 |
| What does that mean? Since VMS is gone and unix doesn't have any security
and it has been reported that NT is worse than unix, we shouldn't even bother
trying?
I keep after the unix people I work with to implement the so called enhanced
security, which is just simply what VMS has had for a decade, even tho, or
perhaps especially because, I know it causes them so much pain with broken
softwarea and degraded performance.
Ultimately, I believe that the pain will pay off in the high marks that the
product reviewer have been giving the security products we're marketing under
the AltaVista brand.
Congrats on the Computer Resellers picking AltaVista firewall as their
Editor's Choice.
|
4647.13 | | PCBUOA::BAYJ | Jim, Portables | Thu May 08 1997 18:43 | 38 |
| I refer to paranoia over the VMS sources being stolen, which oftentimes
seems to be the driving mentality to many of our security efforts.
The reason I take issue with the policy is that 99% of the employees
are restricted from using a commonly available capability in the very
remote chance that someone might break into a Digital system, and for
some reason find that the only way they have of transporting
proprietary information off the intranet is using FTP (i.e., for some
reason, mail, Kermit, Z-modem, etc. are not available).
In other words, we don't protect against someone breaking in and
*mailing* themselves information. Why? Because to disable outgoing
mail would impact business.
Well, my point is that not having FTP impacts business. More and more
each day. Before the WWW surge, FTP was largely unknown, and rarely
needed. Since the WWW, FTP has become as common as email for
transport, and is becoming much more widely known. Not to mention it
is FAR faster and more reliable. I finally had a business case to
justify a crypto-key because we simply couldn't continue to do business
using mail for transporting large binary files.
I believe the only reason FTP is so zealously guarded is strictly
historical, and that the need to protect it so is now past.
Think about it: We seek to protect our network by making sure that if
someone breaks into it, they will find its unusable????
Whats wrong with THAT picture? Lets focus our security efforts where
it makes sense, and permit our employees access to the tools that all
our competitors have access to.
jeb
(BTW, I haven't even mentioned having inbound FTP sites available
outside the firewall. Our competitors have those as well, easily
accessible)
|
4647.14 | Re: 530 Operation denied by FTP gateway on outgoing copy | QUABBI::"stuart@nsl-too.pa.dec.com" | Stephen Stuart | Fri May 09 1997 03:23 | 27 |
| Jim, Portables (bayj@pcbuoa.enet.dec.com) wrote:
: Title: 530 Operation denied by FTP gateway on outgoing copy
: Reply Title: (none)
: Whats wrong with THAT picture? Lets focus our security efforts where
: it makes sense, and permit our employees access to the tools that all
: our competitors have access to.
Your opinion is not new. If you search this conference you will find
that others have expressed the exact same feelings. Note the dates.
Through all the years that feelings identical to yours have been
expressed, not one word has been mailed to <ip-exarc@pa.dec.com>.
There is a group of people who would love nothing more than to focus
our security efforts where it makes sense. Until you, the people
affected by these policies, make your feelings known, nothing will
change.
Posting here doesn't count. You, Jim, are just the next in a long line
of people whose opinions have not mattered because they were not heard.
Stephen
- -----
Stephen Stuart stuart@pa.dec.com
Network Systems Laboratory
Digital Equipment Corporation
[posted by Notes-News gateway]
|
4647.15 | | LGP30::FLEISCHER | without vision the people perish (DTN 381-0426 ZKO1-1) | Fri May 09 1997 13:38 | 16 |
| re Note 4647.14 by QUABBI::"stuart@nsl-too.pa.dec.com":
> Posting here doesn't count. You, Jim, are just the next in a long line
> of people whose opinions have not mattered because they were not heard.
This is certainly true.
However, it can be very helpful for a person who wishes to
change things to sound out their ideas and their arguments
first with a more open and (presumably) more sympathetic
audience.
Of course, as you point out, you then need to take the next
step and make the presentation to the official body.
Bob
|
4647.16 | | PCBUOA::BAYJ | Jim, Portables | Fri May 09 1997 16:50 | 11 |
| So, who exactly are these mysterious folks at <ip-exarc@pa.dec.com>
that don't read notesfiles, and obviously are completely out of touch
with their "customers", the employees of this company?
And, along the lines of .15, does my opinion represent a vocal
minority, or the silent majority? Is this a real issue, or an
occasional inconvenience with numerous alternatives? Or did I call it
right that demand is growing with cognizance of the internet?
jeb
|
4647.17 | Re: 530 Operation denied by FTP gateway on outgoing copy | QUABBI::"stuart@nsl-too.pa.dec.com" | Stephen Stuart | Fri May 09 1997 19:03 | 53 |
| Jim, Portables (bayj@pcbuoa.enet.dec.com) wrote:
: Title: 530 Operation denied by FTP gateway on outgoing copy
: Reply Title: (none)
: So, who exactly are these mysterious folks at <ip-exarc@pa.dec.com>
: that don't read notesfiles, and obviously are completely out of touch
: with their "customers", the employees of this company?
The current list is:
Randy Brown <brownr@mail.dec.com>
Paul Doucette <doucette@das.dec.com>
Chuck Noble <noble@mail.dec.com>
Jean-Paul Rambeau <rambeau@mail.dec.com>
Stephen Webber <webber@akocoa.enet.dec.com>
Bob Yost <yost@ics.enet.dec.com>
Notes is not an official communications medium of the Corporation (MTS
mail is the only officially blessed medium, by the way). You need to
adjust your expectations accordingly, starting with your "these people
are completely out of touch" attitude. You probably wouldn't like it
if I said, "you obviously are completely out of touch with the way
that change is accomplished," would you? I haven't said that because
I'm trying to inform you, rather than belittle you. The people on the
<ip-exarc@pa.dec.com> list deserve the same courtesy from you that you
are getting from me.
: And, along the lines of .15, does my opinion represent a vocal
: minority, or the silent majority? Is this a real issue, or an
: occasional inconvenience with numerous alternatives? Or did I call it
: right that demand is growing with cognizance of the internet?
My opinion is there are mechanisms to accomplish the majority of the
communications needs of the corporation. There are obvious problems,
and those of us who implement gateways are working hard to overcome
them in a manner consistent with the policy that we are directed to
follow.
This is an over-simplification, but the world is divided into two
camps: people who can't do what they need to do because the mechanisms
don't exist, and people who are dissatisfied with the existing
mechanisms. The latter group seems to consist mostly of people either
do not understand that the purpose of a cryptokey is authentication,
or who are unwilling or unable to justify the expense of a cryptokey
to their cost center managers. This despite the fact that the
objections are always phrased in terms of "convenience."
Stephen
- -----
Stephen Stuart stuart@pa.dec.com
Network Systems Laboratory
Digital Equipment Corporation
[posted by Notes-News gateway]
|
4647.18 | | teco.mro.dec.com::tecotoo.mro.dec.com::mayer | Danny Mayer | Mon May 12 1997 14:21 | 24 |
| > Notes is not an official communications medium of the Corporation (MTS
> mail is the only officially blessed medium, by the way).
Actually, you must be out of touch! :-) Exchange Mail is now officially
blessed as the replacement for MTS. Three out of those 6 mail addresses
are to an Exchange Mail server.
> This is an over-simplification, but the world is divided into two
> camps: people who can't do what they need to do because the mechanisms
> don't exist, and people who are dissatisfied with the existing
> mechanisms. The latter group seems to consist mostly of people either
> do not understand that the purpose of a cryptokey is authentication,
> or who are unwilling or unable to justify the expense of a cryptokey
> to their cost center managers. This despite the fact that the
> objections are always phrased in terms of "convenience."
>
I agree. If you can't justify a cyptokey to your cost center manager
you probably should not be sending files to an outside company. It's not
just a matter of convenience, it's a matter of security. I doubt that you
will get ANYONE in EXARC to listen to you based on convenience as opposed to
need. I expect their response will be: why can't you get a cryptokey?
Danny
|
4647.19 | You already have it! | ACOUPA::DESOZA | Jean-Pierre, DTN 828-5559 | Tue May 13 1997 08:46 | 15 |
| If the purpose is just to deliver some file to a customer, there are
Delivery Tools: DDIA, DSNlink, WIS ... that allow routinely files to
be transferred outside the firewall.
The situation is very common: Development groups who need to install
their code on a customer's system, Customers who need a copy of their
contracts, and of course regular support and delivery of patches, using
the transport you prefer: Modems: ISDN or PSTN, TCP/IP, X.25 or DECnet.
All this with the blessing of ExArc, because the solution has been
technically reviewed.
So instead of re-inventing the wheel, just ask you nearest MCS Service
Infrastructure Engineering team in CXO or VBO.
Jean-Pierre @VBO
|
4647.20 | Illogical? | BHAJEE::JAERVINEN | Ora, the Old Rural Amateur | Tue May 13 1997 11:20 | 4 |
| So how about Compuserve? I can't telnet out either. On the other hand,
I can use WinCim to connect to Compuserve via our proxy, and WinCim
does allow telnet (and ftp, including put). Granted, it's probably
terribly slow.
|
4647.21 | | BLAZER::MIKELIS | Software Partner's Eng. MR01-3/F26 | Tue May 13 1997 19:32 | 17 |
| I'm also impacted by not having a crypto-key. It's not that i couldn't get one
it's just that i don't see why our cost center should be charged for multiple
keys when most of our group needs to FTP files to the ISV's we support on a
regular basis. For small files, i uunecode a tar file and email pieces of it.
For large files i have someone here who has ftp access out to push the files.
The point is you don't need a costly "key" get to get binary files out of the
company if you are so inclined-proprietary or not. This crypto balogna just
adds overhead to the bottom line as far as i can see.
------------------------------------------------------------------------------
James C. Mikelis Software Partners Engineering
Phone: +1.508.467.9073 (FAX) 1.508.467.1468 Digital Equipment Corporation
EMAIL: Mikelis@mail.dec.com 200 Forest St. [MR01-3/F26]
http://www.digital.com/www-swdev/ Marlboro, MA 01752
------------------------------------------------------------------------------
|
4647.22 | | QUARK::LIONEL | Free advice is worth every cent | Tue May 13 1997 20:23 | 9 |
| Re: .21
Ok, so you have found a compromise which works for you. Good. Note that your
e-mail is logged, so there is a "trace" available should the need arise.
As has been said earlier, MCS Colorado offers a service to groups who need
frequent access to FTP PUT. I don't know what the relative costs are.
Steve
|
4647.23 | | PCBUOA::BAYJ | Jim, Portables | Wed May 14 1997 17:33 | 41 |
| >I doubt that you will get ANYONE in EXARC to listen to you based on
>convenience as opposed to need. I expect their response will be: why
>can't you get a cryptokey?
Perhaps this is the attitude that keeps people from bothering to try
and change a broken system. If you know in advance that attitudes are
against you, and not open to suggestions or change, it makes it less
likely that you'll mount your sturdy steed.
I've had many occasions when I had a business need for the ability to
FTP push. It would have been extremely helpful, timesaving, and
therefore cost saving for the company. However, these were mostly
short duration requirements that couldn't wait for the 1-2 month cycle
for securing a crypto-key to complete. For want of a nail...
As I mentioned, I now have a justifying business purpose, and a manager
that doesn't suffer from penny-wise/dollar-foolish syndrome, unlike
many Digital managers.
In fairness though, note that in the name of security, we have
purposely prevented employees from using a capability that has been
built in to the network since the day it was turned on. This is not
the case of it being expensive to PROVIDE a capability, but rather its
expensive to DENY the capability. We are paying money to lose money.
Realize also that the person who said they use someone else's
crypto-key technically violates the rules for using a crypto-key.
Theoretically, anyone who ever pushes a file needs a key, and we've
already discussed the less than hospitable atmosphere that surrounds
the process of getting a key.
Ideally, it would be nice if the corporate infrastructure people were
more interested in providing people the tools needed to do their job in
a convenient, friendly way that would encourage doing things in a
manner that is convenient and inexpensive.
But if that happened naturally, we might still be a 125,000 person
company.
jeb
|
4647.24 | | teco.mro.dec.com::tecotoo.mro.dec.com::mayer | Danny Mayer | Wed May 14 1997 17:50 | 53 |
| > >I doubt that you will get ANYONE in EXARC to listen to you based on
> >convenience as opposed to need. I expect their response will be: why
> >can't you get a cryptokey?
>
> Perhaps this is the attitude that keeps people from bothering to try
> and change a broken system. If you know in advance that attitudes are
> against you, and not open to suggestions or change, it makes it less
> likely that you'll mount your sturdy steed.
>
> I've had many occasions when I had a business need for the ability to
> FTP push. It would have been extremely helpful, timesaving, and
> therefore cost saving for the company. However, these were mostly
> short duration requirements that couldn't wait for the 1-2 month cycle
> for securing a crypto-key to complete. For want of a nail...
>
> As I mentioned, I now have a justifying business purpose, and a manager
> that doesn't suffer from penny-wise/dollar-foolish syndrome, unlike
> many Digital managers.
>
> In fairness though, note that in the name of security, we have
> purposely prevented employees from using a capability that has been
> built in to the network since the day it was turned on. This is not
> the case of it being expensive to PROVIDE a capability, but rather its
> expensive to DENY the capability. We are paying money to lose money.
You're totally missing the point. There's a reason that this corporation
has firewalls around its corporate network. We could save millions of dollars
by doing away with the firewalls and infrastructure needed to support them.
Why do you think so many companies are ADDING firewalls? Just to burden down
those employees needing to get something out to the customer? Or is it because
they want to protect the corporate assets and trade secrets? You're complaining
about something costing $100 per year per cryptokey to ensure that the
person sending something out is an authorized employee. At least that can be
tracked. Are you objecting to people being identified when they send something
out?
>
> Realize also that the person who said they use someone else's
> crypto-key technically violates the rules for using a crypto-key.
> Theoretically, anyone who ever pushes a file needs a key, and we've
> already discussed the less than hospitable atmosphere that surrounds
> the process of getting a key.
>
The person loaning a cryptokey to someone else is ultimately responsible
for what that person does with the key.
> Ideally, it would be nice if the corporate infrastructure people were
> more interested in providing people the tools needed to do their job in
> a convenient, friendly way that would encourage doing things in a
> manner that is convenient and inexpensive.
>
They do. It's called a cryptokey.
Danny
|
4647.25 | | BHAJEE::JAERVINEN | Ora, the Old Rural Amateur | Wed May 14 1997 18:22 | 5 |
| >At least that can be tracked.
How are those tracked who (potentially) push files out using the
Compuserve proxy?
|
4647.26 | | TWICK::PETTENGILL | mulp | Thu May 15 1997 02:10 | 78 |
| One might argue that the appropriate place to implement the necessary controls
is within the specific functional units that hold the critical business data.
However, as anyone who has tried to interact with engineers in VMS knows,
they found it necessary to implement a firewall around VMS to protect themselves
from external access to VMS systems from intruders making use of insecure
access points elsewhere within Digital.
On the other hand, unix engineering does not have a firewall protecting them
from intruders who gain access to our network from any source. Furhtermore,
most of the unix technical people seriously object to implementing what
is called "enhanced security" because it makes everything much more complicated.
One particular area of complication is in the use of NIS.
Given, for example, the recently publicized news server bug which allows a
clever user to issue commands on virtually any unix system running a news
server, intruders were at least limited to using mail to send back results
rather than being able to ftp back the results of their scavaging. While
the intruders how exploited this hole in the news servers in use inside and
outside of Digital used mail for simplicity, its not inconceivable that
someone who was sufficiently motivated, and informed, would make use of Digitals
network if there were no other restrictions.
And here's how you do it.
By use of the news server bug you issue a command that accesses the ftp gateway
to copy into Digital a special program. This program is then executed by
the same means on the news server machine.
What this program does is connect to the ftp gateway twice. The first
connection is to "get" a special file on the intruder's system. This special
file is the incoming telnet stream. And in truth, this can be done today.
However, it is seldom useful to type blindly into a system without getting any
output. That is where the second connection to the ftp gateway comes in. The
second connection issues a "put" to a special file that is the outgoing telnet
stream.
The reason that this works is that the gateway has no way to interpret the
data stream because it is a pure octet stream. It would be impossible to
differentiate between the log of an interactive session and the actual data
stream involved.
You might argue that this is so complicated that no one would make use of
this capability. However, the same technique was effectively used with DAP
to create remote terminal sessions on VMS. In part this was easy because of
the tight integration of networking and VMS; the entire program transferred
and executed was written in DCL, but it also demonstrates how simple the
the idea is. I'm sure that someone who was sufficiently proficient in shell
commands would figure out the "one line command" what would implement the
above in less than a day given access to a system and a two way ftp gateway.
So, what we have is a conflict between culture and technology, security,
including auditing, on unix systems conflicts with the the users desired
ease of use and the unix model of doing as much as possible with simple
tools that are activated by issuing commands that pipe the data from one
tool to another making adding security checks and auditing difficult, (but
not impossible - the news server security hole has been plugged assuming
everyone has patched their news server).
Since its difficult, and sometimes impossible, to force everyone to follow
strict security standards, simple blunt objects are used to close the most
inviting holes.
One simple solution would be to put a CI VMScluster on the firewall. With one
node of the cluster outside the firewall and the rest inside the firewall,
the cluster would be rather easy to manage. The intracluster communication
would be done over CI. The data could be copied to a staging area on the
cluster which was accessible over the network from either side. Alternately,
I suspect that it would be easy to create a web interface that allowed
FTSV jobs to be create that first transferred the file to the cluster and
then back off the cluster on the other side of the firewall.
And to further confound the hackers, the file transfers could be done on the
internet side using ISO OSI protocols and RFC1006. One of the arguments as
I understand it for IPv6 is that the OSI protocols can't be implemented so
that means that such transfers would be limited to people using Digital
computers. At a minimum, hackers would at least have to buy a computer that
is capable of running VMS or Digital UNIX. ;-)
|
4647.27 | ExArc control: an illusion of management | STAR::jacobi.zko.dec.com::jacobi | Paul A. Jacobi - OpenVMS Systems Group | Mon May 19 1997 20:44 | 18 |
| ExArc has often refused access to a certain types of internet data for security
reasons.
Eventually, somebody outside control of ExArc, sets up and maintains their own
"rebel" internet gateways and proxys. Recent examples include Secure HTTP proxy
and RealAudio proxy. How long before somebody sets up their own FTP PUT proxy or
gateway?
Yet, people are screaming for blocking of spam mail, but ExArc does nothing.
IMHO, ExArc control over corporate internet security is only an illusion of
management.
-Paul
|
4647.28 | | BIGUN::nessus.cao.dec.com::Mayne | A wretched hive of scum and villainy | Mon May 19 1997 22:15 | 6 |
| Have people screamed to ExArc, or just to this Notes conference?
Is ExArc's function security related, or network management related? What does
corporate internet security have to do with spam?
PJDM
|
4647.29 | detracts from Email's utility | LGP30::FLEISCHER | without vision the people perish (DTN 381-0426 ZKO1-1) | Mon May 19 1997 22:49 | 8 |
| re Note 4647.28 by BIGUN::nessus.cao.dec.com::Mayne:
> Is ExArc's function security related, or network management related? What does
> corporate internet security have to do with spam?
If you get enough spam it's a denial-of-service attack.
Bob
|