*BSD News Article 57971


Return to BSD News archive

Path: euryale.cc.adfa.oz.au!newshost.anu.edu.au!harbinger.cc.monash.edu.au!news.rmit.EDU.AU!news.unimelb.EDU.AU!munnari.OZ.AU!news.ecn.uoknor.edu!paladin.american.edu!zombie.ncsc.mil!news.mathworks.com!newsfeed.internetmci.com!swrinde!news.uh.edu!uuneo.neosoft.com!nmtigw!zuul.nmti.com!peter
From: peter@nmti.com (Peter da Silva)
Newsgroups: comp.unix.bsd.misc
Subject: Re: Internet E-Mail Security
Date: 4 Jan 1996 03:55:09 GMT
Organization: Network/development platform support, NMTI
Lines: 34
Message-ID: <4cfj2t$hsf@zuul.nmti.com>
References: <e63_9601030244@woodybbs.com>
NNTP-Posting-Host: sonic.nmti.com

In article <e63_9601030244@woodybbs.com>,
John Woodstock <john.woodstock@woodybbs.com> wrote:
>     a)  Is this a real overkill, or do many folks use a two step process?

For UUCP, this is overkill. For TCP/IP, it's the minimal acceptable.

Why?

UUCP is pretty tight. All it can do is copy files, and then only from
and to specific locations, and run two or three commands with the command
line provided by *you*, not the other end.

TCP/IP is a different matter.

What I'd recommend for TCP/IP is the dual-router-bastion arrangement
bandied about on the firewalls list:


Internet------{R1}---------------------------{R2}-----Your network
			    |
			    Bastion

R1 only allows connections from the Internet to the Bastion.

R2 only allows connections from your network to the bastion.

They only allow protocols you're prepared to support. That way if someone
breaks the bastion they can't mount attacks on the Internet so easily, and
they can't attack your system.
-- 
Peter da Silva    (NIC: PJD2)      `-_-'             1601 Industrial Boulevard
Bailey Network Management           'U`             Sugar Land, TX  77487-5013
+1 713 274 5180         "Har du kramat din varg idag?"                     USA
Bailey pays for my technical expertise.        My opinions probably scare them