[EMAIL PROTECTED] wrote:
> Could someone explain to me what could happen and or how if Telnet is used to
> bypass control if it is left on a unix firewall computer. I know what should not
> be on a firewall computer, I just do not always know why, I am an auditor trying
> ...
1) Telnet allows you to log into your computer as if you were sitting
at the console. Leaving telnet open on an Internet firewall allows
anyone on the internet to anonymously "sit down at the firewall
console" and try to log in. You wouldn't let just anyone walk into
your office and try to log into your firewall, so why would you let
them do it from anywhere else?
At the very least, you should have some type of screening to control
what protocols even reach the firewall. e.g. A screening router that
blocks telnet from the outside to the firewall. However, by doing
this you have added slightly to the complexity, and possibly cost, of
your firewall system. If your admins do not understand why you do not
want telnet on your firewall, will they understand how to configure
the router?
2) Telnet traffic passes across the network unencrypted. When an
authorized user logs in via telnet, the login name and password are
visible to anyone watching the network traffic. Even if you block
telnet from the outside, do you really want ANYONE on the inside to be
able to log into your firewall?
3) If you need the ability to administer your firewall remotely:
a) look into other protocols like secure shell (ssh) which encrypt
all traffic, including the login name and password.
b) Provide some type of screening to control where that protocol is
allowed from. For example, only ssh traffic from the subnet of the IS
department is allowed to even reach the firewall.
- Paul
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
