SUMMARY: Need firewall telnet/ftp gateway

From: Keith McNeill (mcneill@udel.edu)
Date: Wed May 08 1991 - 09:25:01 CDT


Many people asked for a summary on the responses that I got on my proxy
telnet/ftp query.

First my original note:

]
]
]We are setting up an internet gateway at work. Currently, we're going
]to set it up as a firewall system. A problem with this setup is that
]anybody in the company who wants to telnet/ftp to the internet has to
]have an account on the firewall system, an administration nightmare. I've
]heard about some software that you put on the gateway that acts as a
]telnet/ftp intermediary. The software consists of a modified telnet/ftp
]for inside our network which connects to intermediary software that is put
]on the firewall gateway. The intermediary software then makes the telnet/ftp
]connections out on the internet.
]

Now the "answer":

If your firewall is a Sun & you have lots of Sun's in your organization then
you are all set. Sun has a (or is about to release) a Consulting Special
called Itelnet/Iftp which is a proxy telnet/ftp server. Call your local Sun
office for information on "Consulting Specials". If you don't have Sun's I
heard from somebody at Sun that the consulting group ***may*** be willing to
port...for a price.

Some people mentioned AT&T's paper on their Internet gateway. I still haven't
been able to relocate my copy but if memory serves me I think that their
setup is specific to AT&T & their Datakit network. Please correct me if I
am wrong.

Many, many people mentioned using a router (most people mentioned Cisco) to
do packet filtering. A couple people had an interesting firewall/router
debate going on for awhile, but I don't think that there is a correct
answer. As with most computer/network configurations it all depends on the
structure & people of your company/organization as to which is the better
solution.

If you decide to go the router "route" some people suggested that among the
obvious ports to restrict that you restrict UDP packets to block Sun RPC's
(including yellow pages & NFS) and TCP port 6000 to block X11.

There is also some software that enables you to disallow connections from
certain hosts/domains at certain ports. You can get it via anonymous ftp at
cert.sei.cmu.edu in pub/network_tools.

Many thanks to:

Richard Cower <cower@csli.stanford.edu>
mo@messy.bellcore.com
Bill Lewandowski <wrl%wdl51@wdl1.wdl.loral.com>
"Jerry M. Carlin" <jmcarli@srv.pacbell.com>
"Timothy G. Smith" <tgsmith@east.sun.com>
smb@ulysses.att.com
William Clare Stewart <wcs@erebus.att.com>
Michael O'Connor <mikeoc@boilermaker.west.sun.com>
"Anthony A. Datri" <datri@concave.convex.com>
"Randal L. Schwartz" <merlyn@iwarp.intel.com>
"Kenneth R. van Wyk" <krvw@cert.sei.cmu.edu>
Tp Brisco <brisco@pilot.njin.net>
Brent Chapman <brent@napa.telebit.com>
fec@mhuxo.att.com
David Pipes x4552 <srg!dpipes@uunet.uu.net>
David Richardson <cs4304ak@cse.uta.edu>
Sean Kelly <kelly@jupiter.nmt.edu>
"Ted R. Doty" <dotytr@nscultrix1.network.com>
Chris Sherman <sherman@unx.sas.com>
David Neal <uunet!sun.rice.edu!dan@cbmvax.uucp>
rodk@germania.corp.sun.com
Phil Meyer <phil@arco.com>

and all the other people who responded. I got close to 40 responses within
24 hours! Once again the Internet proves its worth!!

Keith

    Keith McNeill | 1131 North Broom Street
    mcneill@udel.edu | Wilmington, Delaware, 19806
                                  | (302) 427-0101



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:06:13 CDT