SUMMARY: Packet filtering/screening with SunLink ISDN

From: Sten Gunterberg (sten@ergon.ch)
Date: Wed Nov 24 1993 - 12:51:49 CST


Hi Managers!

Sorry about the rather long delay for this summary, but I have been really
busy the last few weeks (lots of projects, I'm only a sysadm on the side).
When I finally started thinking of doing the summary, the sendmail frenzy
started. Thanks for your patience.

[ original question included at end ]

I did not receive many answers, even after the preliminary summary I sent
(must be a tough question :-) The answers mosty consisted of "turn off IP
forwarding and use tcp_wrapper/log_tcp". That would be OK for a classic
firewall (which we already have in place). Alas, this is not what I need,
despite that I said "any kind of filter is better than no filter", because
tcp_wrapper et al don't classify as filters in the sense I meant.

One thing we want to be able to is to use ISDN to test/debug X11-applications
remotely, without having to run them/having the display on the ISDN-router,
i.e. the router has to forward packets. I haven't heard of any X11 proxies yet,
that don't require changes to the client program. For this to be secure, we
need *real* packet filtering.

This note regarding the missing packet filtering in the SunLink products is
quite interesting, I think:

Geert Jan de Groot <geertj@ica.philips.nl> wrote:
>
> I complained to SUN many times about this, but they don't care.
> This has been the case for quite a while; I started complaining
> about it on SunLink X.25 6.0 (1988 I think), and they never reacted.
>
> Note that you are *much* better off using a dedicated device. SUN has
> a bad record of addon-products-that-don't-keep-up-with-os-releases.
>
> On the other hand, the SUN stuff is cheaper (but not by much if you
> need to dedicate machines because of security!), so I advise to use
> that on home machines, but not for access to larger networks with sensitive
> data.
>
> I use the ISDN product only to connect two parts of my site, that
> have the same 'status'. For external access, it is not very suitable.
>

Well, I agree with that. But I don't *want* to buy dedicated hardware when I
have this "old" SS-1 doing nothing than collect dust. With the right SW, it
makes a good routers, when you don't need large throughtput. An the other side,
I have neither heard of ISDN capable routers, at least not here in Europe.

Most people also said they do their filtering on the router (e.g. CISCO) and
don't bother having that functionality on their Suns. A pity. If a lot of
customers would complain to Sun, they would perhaps do something about it.

I also spoke to our local Sun representative about the issue. They were
responsive, but could or would not say what Sun plans for future versions
of the SunLink products in questions :-(

Morning Star Inc. (makers of MST-PPP) are considering enhancing their PPP
product to run on SPARCstation ISDN interfaces. Now that would be great!
I sure hope they add that soon...

So, the net result seems to be, "No cake this time" :-) What a shame...

Thanks to the following people:
    Geert Jan de Groot <geertj@ica.philips.nl>
    David Deaves <David.Deaves@cbr.atr.com.au>
    see@uebemc.siemens.de (Seeger Michael)
    davec@cs.ust.hk (Dave Curado)
    Florian Gutzwiller <Florian.Gutzwiller@open.CH>

-- Sten

======= Original question =================================================

To: sun-managers@eecs.nwu.edu
Subject: Packet filtering/screening with SunLink ISDN anyone?

Hi Managers!

We are just starting to use SunLink ISDN 1.0 for dial-up connections
using SS 10s and LXs (running SunOS 5.2). So far everything has been
really nice and smooth, works like a charm.

Now, what seems to be missing is the ability to do packet filtering
(also called packet screening), i.e. passing/rejecting/logging of IP
packets based on criteria from the packets, e.g. addresses, port
numbers, etc. (We are also using Morning Star's PPP here. Their packet
filtering is very good, IMHO).

After RTFM isdnio(7), pfmod(7) and using snoop(8), I determine that
packet filtering must be a possibility. So, has anyone already done it?
Reasons against doing it that way? Other ways of doing it?

Even if it is not possible to implement something similar to MST-PPP's
capabilities, any kind of filter is better than no filter :)

Thanks in advance and, as usual, I'll summarize.

----------------------------------------------------------------------------
Sten Gunterberg, sg@ergon.ch, /C=CH/A=arCom/P=EUnet/O=Ergon/S=Gunterberg/
GCS d-(++) p-(+)(---) c+++ !l u++++ e-(*) m+(---) s/++ h-- f+ !g w+ t+ y+(*)
           Friends come and go, but enemies accumulate.
                         -- Unknown



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:08:30 CDT