> Apologies for a slightly off-topic question - it does have to do with
>security, though not (directly) firewalls.
Not that off-topic I think. You've designed a firewall.. and maybe a VPN. :)
> I'm busily setting up a small network that will use non-routable IP's -
>probably five boxes behind a gateway with a real IP. None of the
>machines will be able to see the internet, ever - and the internet can't
>be able to see any of them, either - at least not directly.
No internet access for the inside machines, ok.
> The problem I'm facing is how to allow telnet access THROUGH the
>gateway to the internal machines, with the absolute MAXIMUM security
>possible. What I've decided to do is lock down the gateway machine
>ENTIRELY, no outgoing connections, and only incoming ssh connections
>accepted. From there, the user's shell will be set to /usr/bin/telnet,
>with the only possible connections being the machines on the internal
>network. I've tested this VERY briefly - it works, and even displays
>the motd; so users will know the names of the machines to telnet to.
Did you audit the gateway from the outside? Is there a reason to not
use SSH internally, too?
> Security is so incredibly crucial in this project - I can't express
>it. Am I missing something large or small here?
The threat model. How trustworthy your authorized users are. How secure
the machines are that are coming in via SSH from the Internet.
>If someone were to
>gain access to the gateway box (the only user to have a non-telnet shell
>will be root, and then only from an attached dumb terminal) the project
>would probably be comprimised past saving. After the user is inside,
>packet sniffing becomes less of an issue - but it should be as near to
>impenetrable from the outside as possible.
> The issue I have is that, while I use it daily, I really don't have
>thorough knowledge of the 'telnet' program itself. There's a load of
>things it can do! Am I risking anything doing this? Are there any
>common exploits that allow someone at a "telnet>" prompt to read or
>write files, etc? I'm not so worried about spawning a shell, as that
>SHOULD be only spawning the user's default shell, which is
>/usr/bin/telnet. :)
Are you saying you don't trust the users you've given SSH access
to? If so, there's a massive problem.
What OS is this, and which telnet client, and we can answer better. My
Solaris 2.5.1 telnet client, which I believe is just the one that came with the
OS,
includes a ! command which drops me straight to a shell. Don't know if
that changes if telnet is my parent shell.
Telnet can be used to map ports on the inside machines. This probably not a
concern
since they've got legitimate access to at least one inside machine.. it would be
easier to do it from that one. I also assume that inside machines attacking the
gateway
wouldn't be a concern, if it's good enough to stand up to the Internet.
Pay particular attention to the machines that come in via SSH. Those are going
to
be the easiest place to break in if you've locked down the gateway really well.
Ryan
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
