R. Les Cottrell Stanford Linear Accelerator Center (SLAC) Presented at SCS Technical Coordination Meeting July 22, 1998 www.slac.stanford.edu/grp/scs/net/talk/bsd-fw/. BSD Firewall. Introduction. Securing BSD SLAC is a requirement from Richter - PowerPoint PPT Presentation
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Introduction Securing BSD SLAC is a requirement from Richter
– Protect BSD without destroying open collaborative environment for most of SLAC
This meetings goals: explain the current understanding & improve it put forward some first steps raise questions / concerns prioritize and assign resources to address as appropriate
Legend Sage (Sun): Oracle server for BSD Parsley (Sun): Oracle server for SLAC (e.g. CANDO) Web-proxy (Sun or NT?): allows BSD folks to have a single way of
getting to outside BSD web pages & thus allows blocking of most Web access.
ssh (Sun): allows single point of access to BSD for Unix logon thus allowing blocking of most ssh logons
DHCP (Sun): dynamic host configuration server needed if DHCP blocked
PS (NT): PeopleSoft server for BSD SMS’ (NT), NTFS’ (NT): provides support for separate BSD NT
domain ISDN (Cisco): allows dialin access to BSD from home
Questions - Services How many BSD insiders need to telnet/ssh out? How many BSD insiders need to ftp out Can BSD insiders use afs instead of ftp? Can we allow all simple TCP outbound access
– simple means non stateful protocols– if so, then we may not need a Web proxy
Can all BSD insiders use an ssh IMAP/POP client?– Protect passwords in clear
– Do printers inside need to be accessed from outside?– Do printers outside need to be accessed from inside?– How does NT print, is there an NT print server inside?
Where does Flex server go? Do we have to block DHCP/BootP? Do we need ISDN, if so how many?
– Costly ($700/mo, $12K one time) if > than say 4 users– What about host stored passwords in shared homes?– Do these users already have ISDN?
Do Ian, Freddie, Frank, George etc. need to be inside firewall or outside or both– How many such people are there?– How do we identify them, & who is responsible for
identifying them?– What are the possible solutions?