DataMuseum.dk

Presents historical artifacts from the history of:

DKUUG/EUUG Conference tapes

This is an automatic "excavation" of a thematic subset of
artifacts from Datamuseum.dk's BitArchive.

See our Wiki for more about DKUUG/EUUG Conference tapes

Excavated with: AutoArchaeologist - Free & Open Source Software. 

top - metrics - download
Index: T b

⟦f369d23ab⟧ TextFile

    Length: 42374 (0xa586)
    Types: TextFile
    Names: »b.cheswick.secure.internet.gtway.ps«

Derivation

└─⟦4f9d7c866⟧ Bits:30007245 EUUGD6: Sikkerheds distributionen
    └─⟦this⟧ »./papers/Network_Security/b.cheswick.secure.internet.gtway.ps«

TextFile

%!PS	div 112 page header - research!pg
/inch {72 mul} def
/pageborder
{ 25 747 moveto
  590 747 lineto
  590 25 lineto
  25 25 lineto
  closepath
  2 setlinewidth
  0 setgray
  stroke
} def

/topborder
{ 25 773 moveto
  590 773 lineto
  590 747 lineto
  25 747 lineto
  closepath
  2 setlinewidth
  0 setgray
  stroke
} def

/toptext
{
  120 756 moveto
  /Courier-Bold findfont 14 scalefont setfont
  (ches Fri Apr 20 07:46:11 EDT 1990) show
} def

/prface
{
  gsave
  translate rotate scale
  setgray
  48 48 true [48 0 0 -48 0 48] {<00000e320000
00007fff0000
0001ffffc000
0007fffff000
000ffffff800
000ffffffc00
001ffffffc00
003ffffffe00
003fffffff00
007fffffff00
007fffffff80
01ffffffff80
01ffffffffc0
03fffcfbffc0
00fff982ffc0
01ffa040ffe0
01ff00003fc0
00fe00005fc0
01fc00009ff0
00fe80003ff0
00fc2007dfe0
00fffc1ffff0
00fe5120bfe4
00ff8e30ffd0
00f6ff6fdfe8
003bf259bf12
00388f325e28
000920243c52
00084658ae28
00148a381c54
000a2401e650
000803781eaa
001506e056a8
000441149d50
00090e093ea8
0004503e0d68
00033fe23d50
0004041c6ad0
000589009da8
000212287b50
0007444536a0
000288087aa8
00052001f540
0002c32beb50
0005fa57fe80
00186aaff0a0
0022bd5fd900
00681fff3400>} imagemask
  grestore
} def

save
	mark
	statusdict begin /manualfeed false def end
	/#copies 1 def
	erasepage initgraphics
	pageborder
	topborder
	toptext
	0 14 14 0 94 752 prface
	.3 180 180 -90 3.0 inch 10.2 inch prface
	showpage
	cleartomark
restore
%!

%!PS
%!
/TeXDict 200 dict def TeXDict begin /packedarray where not{/packedarray{array
astore}bind def}if /setpacking where{/curpack currentpacking def pop true
setpacking}if /Resolution 300 def /Inch{Resolution mul}bind def /Mtrx 6 array
def /imm matrix def /@letter{72 Resolution div dup neg scale 1.03 Resolution
mul -10.02 Resolution mul translate Mtrx currentmatrix pop}def /@landscape{
initmatrix 72 Resolution div dup neg scale Mtrx currentmatrix 0 0.0 put Mtrx 1
-1.0 put Mtrx 2 1.0 put Mtrx 3 0.0 put Mtrx setmatrix 1.0 Resolution mul 1.03
Resolution mul translate Mtrx currentmatrix pop}def /@copies{/#copies exch def
}def /@restore /restore load def /restore{@restore}bind def /@pri{( )print
(                                       )cvs print}bind def /dmystr(ZZf@@)def
/newname{dmystr cvn}def /@FontMatrix[1 0 0 -1 0 0]def /@FontBBox[0 0 1 1]def
/CharBuilder{exch /BitMaps get exch get dup null ne{aload pop 0 3 index neg 3
index neg 7 index 2 index add 7 index 2 index add setcachedevice imm dup 5 4
-1 roll put dup 4 4 -1 roll put true exch 5 -1 roll imagemask}{pop}ifelse}
bind def /df{/fontname exch def dmystr 2 fontname cvx(@@@)cvs putinterval
newname 7 dict def newname load begin /FontType 3 def /FontMatrix @FontMatrix
def /FontBBox @FontBBox def /BitMaps 1 index array def /BuildChar /CharBuilder
load def /Encoding 1 index array def 0 1 3 -1 roll 1 sub{Encoding exch /.undef
put}for end newname newname load definefont setfont fontname{/foo setfont}2
array copy cvx def fontname load 0 dmystr 5 string copy cvn cvx put}bind def
/dc{/ch-code exch def 6 packedarray currentfont /BitMaps get ch-code 3 -1 roll
put currentfont /Encoding get ch-code dup(   )cvs cvn put}bind def /bop{Mtrx
setmatrix /SaveImage save def 0 0 moveto}bind def /eop{showpage SaveImage
restore}bind def /@start{@letter}bind def /@end{end}bind def /p /show load def
/v{/dy exch neg def /dx exch def /x1 currentpoint /y1 exch def def newpath x1
y1 moveto dx 0 rlineto 0 dy rlineto dx neg 0 rlineto closepath fill x1 y1
moveto}bind def /li /lineto load def /rl /rlineto load def /rc /rcurveto load
def /np{/SaveX currentpoint /SaveY exch def def newpath}bind def /st{stroke
SaveX SaveY moveto}bind def /fil{fill SaveX SaveY moveto}bind def /ellipse{
/endangle exch def /startangle exch def /yrad exch def /xrad exch def /yc exch
def /xc exch def /savematrix matrix currentmatrix def xc yc translate xrad
yrad scale 0 0 1 startangle endangle arc savematrix setmatrix}bind def /a
/moveto load def /delta 0 def /b{exch p dup /delta exch def 0 rmoveto}bind def
/c{p delta 4 sub dup /delta exch def 0 rmoveto}bind def /d{p delta 3 sub dup
/delta exch def 0 rmoveto}bind def /e{p delta 2 sub dup /delta exch def 0
rmoveto}bind def /f{p delta 1 sub dup /delta exch def 0 rmoveto}bind def /g{p
delta 0 rmoveto}bind def /h{p delta 1 add dup /delta exch def 0 rmoveto}bind
def /i{p delta 2 add dup /delta exch def 0 rmoveto}bind def /j{p delta 3 add
dup /delta exch def 0 rmoveto}bind def /k{p delta 4 add dup /delta exch def 0
rmoveto}bind def /l{p -4 0 rmoveto}bind def /m{p -3 0 rmoveto}bind def /n{p -2
0 rmoveto}bind def /o{p -1 0 rmoveto}bind def /q{p 1 0 rmoveto}bind def /r{p 2
0 rmoveto}bind def /s{p 3 0 rmoveto}bind def /t{p 4 0 rmoveto}bind def /w{0
rmoveto}bind def /x{0 exch rmoveto}bind def /y{3 -1 roll show moveto}bind def
/bos{/section save def}bind def /eos{section restore}bind def /setpacking
where{pop curpack setpacking}if end
%!
/ObliqueFont{/ObliqueAngle exch def /ObliqueBaseName exch def /ObliqueFontName
exch def /ObliqueTransform[1 0 ObliqueAngle sin ObliqueAngle cos div 1 0 0]
def /basefontdict ObliqueBaseName findfont ObliqueTransform makefont def
/newfont basefontdict maxlength dict def basefontdict{exch dup /FID ne{dup
/Encoding eq{exch dup length array copy newfont 3 1 roll put}{exch newfont 3 1
roll put}ifelse}{pop pop}ifelse}forall newfont /FontName ObliqueFontName put
ObliqueFontName newfont definefont pop}def /Symbol-Oblique /Symbol 15
ObliqueFont /Times-Oblique /Times-Roman 15.5 ObliqueFont /pf{4736286.72 div
Resolution mul /scfact exch def /PSname exch def /TeXname exch def dmystr 2
TeXname cvx(@@@)cvs putinterval PSname findfont[scfact 0 0 scfact neg 0 0]
makefont newname exch def TeXname{/foo setfont}2 array copy cvx def TeXname
load 0 dmystr 5 string copy cvn cvx put}def
TeXDict begin @start bos 128 /fa df<FFF0FFF0>12 2 -1 -8 16 45 dc<60F0F060>4 4
-5 0 13 46 dc<03E0000E3800180C00300600300600700700600300600300E00380E00380E003
80E00380E00380E00380E00380E00380E00380E00380E00380E00380E003806003006003007007
00300600300600180C000C180003E000>17 29 -3 1 23 48 dc<01800003C00003C00003C000
03C00003C00003C00003C00001C00001C00001C00001C00000C00000C000006000006000002000
0020000010000010000008008004008002008002004001007FFF807FFF807FFFC0400000>18 29
-3 1 23 55 dc<FF803FFC1E0007C00C000780040007800400078002000F0002000F0002001F00
01001E0001FFFE0000803C0000803C0000803C0000407800004078000040F8000020F0000020F0
000011E0000011E0000011E000000BC000000BC000000FC0000007800000078000000300000003
000000030000>30 29 -2 0 34 65 dc<FFF00F000F000F000F000F000F000F000F000F000F00
0F000F000F000F000F000F000F000F000F000F000F000F000F000F000F000F00FFF0>12 28 -3
0 17 73 dc<000003E0FFF00E100F001E100F001C080F003C080F003C080F003C000F003C000F
003C000F003C000F003C000F003C000F0078000F0070000F01E0000FFF80000F00F0000F003800
0F001C000F000E000F000F000F000F000F000F000F000F000F000E000F001C000F0038000F00F0
00FFFF8000>29 29 -3 1 33 82 dc<000F80000070600000E0180001C0040003800400078002
00070002000F0001000F0001000F0001000F0001000F0001000F0001000F0001000F0001000F00
01000F0001000F0001000F0001000F0001000F0001000F0001000F0001000F0001000F0001000F
0001000F0001000F000380FFF01FF0>28 29 -3 1 34 85 dc<FE0FF83803C01801C008038008
038008038007FF00040700040700020E00020E00011C00011C00011C0000B80000B80000B80000
7000007000007000002000>21 21 -1 0 25 97 dc<FFFE001C07801C03C01C01C01C01E01C01
E01C01E01C01E01C03C01C03801FFF001FFF001C07801C03801C03C01C03C01C03C01C03C01C03
801C0700FFFC00>19 21 -1 0 24 98 dc<00FC000783000E00801C0040380040780020700020
F00020F00000F00000F00000F00000F00000F000207000207800203800601C00E00E01E0078260
00FC20>19 21 -2 0 25 99 dc<FFFC001C07001C01C01C00E01C00E01C00701C00701C00781C
00781C00781C00781C00781C00781C00781C00701C00701C00E01C00E01C01C01C0700FFFC00>
21 21 -1 0 26 100 dc<FFFFC01C01C01C00C01C00401C00601C00201C10201C10201C10001C
30001FF0001C30001C10001C10001C10401C00401C00401C00801C00801C0380FFFF80>19 21
-1 0 23 101 dc<FF8FF81C01C01C01C01C01C01C01C01C01C01C01C01C01C01C01C01C01C01F
FFC01C01C01C01C01C01C01C01C01C01C01C01C01C01C01C01C01C01C0FF8FF8>21 21 -1 0 25
104 dc<FF801C001C001C001C001C001C001C001C001C001C001C001C001C001C001C001C001C
001C001C00FF80>9 21 -1 0 13 105 dc<FF83FC1C01F01C01E01C01C01C03801C07801C0700
1C0E001E1C001D1C001CB8001C70001C30001C10001C08001C04001C02001C01001C01801C01E0
FF83F8>22 21 -1 0 26 107 dc<FFFF001C07001C03001C01001C01801C00801C00801C00801C
00001C00001C00001C00001C00001C00001C00001C00001C00001C00001C00001C0000FFC000>
17 21 -1 0 21 108 dc<FE083FE0381C0700101C0700101C0700103A0700103A070010710700
107107001071070010E0870010E0870011C0470011C0470011C047001380270013802700170017
0017001700170017001E000F00FE000FE0>27 21 -1 0 31 109 dc<FE00403800C01000C01001
C01003C01007C0100740100E40101C40101C4010384010704010704010E04011C04013C0401380
401700401E00401E00E0FC03F8>21 21 -1 0 25 110 dc<01F800070E001E07801C03803801C0
7801E07000E0F000F0F000F0F000F0F000F0F000F0F000F0F000F07000E07801E03801C01C0380
0C0300070E0001F800>20 21 -2 0 26 111 dc<FF80001C00001C00001C00001C00001C00001C
00001C00001C00001C00001FFC001C0F001C03801C03C01C03C01C03C01C03C01C03C01C03801C
0F00FFFC00>18 21 -1 0 23 112 dc<FF80F81C03CC1C07C41C07841C07801C07001C07001C07
001C0E001C1C001FF8001C0E001C07801C03801C03C01C03C01C03C01C03801C07801C0E00FFF8
00>22 21 -1 0 25 114 dc<8FC0F060C03080108018801800180038007803F01FE03FC07E00E0
00C000C010C010C030603030F01F10>13 21 -2 0 19 115 dc<07FF0000700000700000700000
700000700000700000700000700000700000700000700000700000700080700880700880700840
70104070106070307FFFF0>21 21 -1 0 25 116 dc<00FC000386000601000E00800C00C01C00
401C00401C00401C00401C00401C00401C00401C00401C00401C00401C00401C00401C00401C00
401C00E0FF83F8>21 21 -1 0 25 117 dc<FE07F83C03C00C03C0040380040700020F00010E00
011C0000BC0000780000700000F00000F00001D00003C8000384000704000F02000E03001E0380
FF87F0>21 21 -1 0 25 120 dc<01FF0000380000380000380000380000380000380000380000
3800007C0000740000E20000E20001C10003C1800380800700400F00400E00201E0078FF80FE>
23 21 0 0 25 121 dc /fb /Times-Bold 786432 pf /fc /Courier 655360 pf /fd
/Times-Bold 655360 pf /fe /Times-Italic 655360 pf /ff /Symbol 655360 pf /fg
/Times-Roman 655360 pf bop 538 282 a fb(The)13 b(Design)f(of)g(a)g(Secur)o
(e)h(Internet)f(Gateway)857 377 y fg(Bill)c(Cheswick)783 427 y(ches@research.\
att.com)772 510 y fe(A)n(T&T)j(Bell)g(Laboratories)712 560 y(Murray)f(Hill,)f
(New)h(Jersey)j(07974)867 681 y fg(ABSTRACT)254 781 y(The)h(Internet)e(suppor\
ts)g(a)i(vast)f(and)g(growing)f(community)g(of)h(computers)h(users)f(around)g
(the)g(world.)150 831 y(Unfortunately)m(,)c(this)h(network)f(can)i(provide)f
(anonymous)g(access)i(to)e(this)f(community)h(by)g(the)g(unscrupulous,)150 881
y(careless,)17 b(or)d(dangerous.)25 b(On)14 b(any)g(given)g(Internet)f(there)
i(is)f(a)g(certain)g(percentage)h(of)f(poorly-maintained)150 931 y(systems.)
27 b(A)-5 b(T&T)16 b(has)f(a)h(lar)o(ge)e(internal)g(Internet)g(that)g(we)h
(wish)f(to)g(protect)f(from)i(outside)e(attacks,)k(while)150 980 y(providing)
8 b(useful)i(services)h(between)f(the)h(two.)254 1030 y(This)f(paper)h(descri\
bes)g(our)f(Internet)g(gateway)m(.)16 b(It)10 b(is)h(an)g(application-level)d
(gateway)j(that)f(passes)i(mail)150 1080 y(and)f(many)h(of)f(the)g(common)g
(Internet)g(services)h(between)g(our)e(internal)g(machines)j(and)e(the)g(Inte\
rnet.)16 b(This)11 b(is)150 1130 y(accomplished)i(without)d(IP)i(connectivity)
f(using)g(a)i(pair)f(of)g(machines:)18 b(a)13 b(trusted)e(internal)g(machine)
i(and)g(an)150 1180 y(untrusted)c(external)h(gateway)m(.)15 b(These)d(are)f
(connected)g(by)f(a)h(private)f(link.)j(The)e(internal)e(machine)i(provides)f
(a)150 1229 y(few)g(carefully-guarded)f(services)h(to)f(the)h(external)f(gate\
way)m(.)15 b(This)9 b(con\256guration)f(helps)i(protect)f(the)g(internal)150
1279 y(internet)g(even)i(if)f(the)g(external)g(machine)h(is)f(fully)f(comprom\
ised.)0 1425 y fd(1.)42 b(Intr)o(oduction)104 1502 y fg(The)14 b(design)e(of)
h(a)h(Corporate)e(gateway)h(to)g(the)g(Inter-)0 1552 y(net)j(must)g(deal)h
(with)e(the)i(classical)g(tradeof)o(f)f(between)h(se-)0 1601 y(curity)11 b
(and)i(convenience.)21 b(Most)12 b(institutio)o(ns)e(opt)h(for)h(con-)0 1651 y
(venience)j(and)g(use)h(a)f(simple)g(router)f(between)h(their)f(inter-)0 1701
y(nal)e(internets)f(and)h(the)g(rest)h(of)e(the)h(world.)19 b(This)12 b(is)g
(danger-)0 1751 y(ous.)18 b(Strangers)11 b(on)h(the)f(Internet)g(can)h(reach)
h(and)e(test)h(every)0 1801 y(internal)i(machine.)30 b(W)n(ith)15 b(workstati\
ons)f(sitting)f(on)i(many)0 1850 y(desks,)c(system)g(administration)d(is)i
(often)g(decentralized)h(and)0 1900 y(neglected.)23 b(Passwords)13 b(are)h
(weak)g(or)f(missing.)21 b(A)13 b(profes-)0 1950 y(sor)c(or)h(researcher)h
(often)e(may)h(install)f(the)g(operating)g(system)0 2000 y(and)i(for)o(get)f
(it,)g(leaving)g(well-known)f(security)h(holes)h(uncor-)0 2050 y(rected.)k
(For)10 b(example,)i(a)f(sweep)g(of)g(1,300)e(machines)j(inside)0 2100 y(Bell)
g(Labs)h(around)e(the)h(time)h(of)e(the)i(Internet)e(W)m(orm)h(found)0 2149 y
(over)d(300)g(that)g(had)g(at)g(least)h(one)f(of)g(several)h(known)f(security)
0 2199 y(holes.)104 2268 y(When)25 b(we)g(\256rst)f(obtained)f(a)j(connection)
d(to)h(the)0 2317 y(ARP)l(Anet,)15 b(Dave)g(Presotto)f(con\256gured)g(our)g
(gateway)g(ma-)0 2367 y(chine)h(\(named)h fa(arp)m(a)p fg(\))g(as)g(an)g(appl\
ication-level)d(gateway)m(.)0 2417 y(For)e(two)f(years)i(this)e(machine)i(was)
f(the)g(sole)g(of)o(\256cial)g(link)f(to)0 2467 y(the)15 b(Internet)f(for)h
(A)-5 b(T&T)m(.)17 b(Until)c(its)i(disconnection)e(a)j(little)0 2517 y(while)
c(ago,)j(this)d(V)-5 b(AX)12 b(750)h(handled)f(all)h(the)g(Internet)f(mail)0
2566 y(traf)o(\256c)i(and)f(other)f(services)i(for)e(the)h(company)m(.)23 b fa
(Arp)m(a)14 b fg(had)0 2616 y(Ethernet)d(connections)g(to)g(both)f(the)h(insi\
de)g(and)g(outside)g(In-)0 2666 y(ternets,)f(just)f(like)h(a)h(router)n(.)i
(It)c(could)h(also)g(make)h(and)f(accept)0 2716 y(calls)g(on)g(our)g(corporat\
e)g(Datakit)g(network.)1139 1425 y(Dave)k(took)f(a)i(number)f(of)f(steps)h
(to)g(make)h(our)e(gate-)1035 1475 y(way)h(more)h(secure.)26 b(He)14 b(turned)
g(of)o(f)f(IP)h(forwarding)f(in)g(the)1035 1525 y(kernel)j(so)g(packets)g(cou\
ld)g(not)f(travel)h(between)g(the)g(Inter-)1035 1575 y(nets.)34 b(He)18 b(ins\
talled)e(a)h(kernel)g(modi\256cation)f(that)g(limited)1035 1624 y(TCP)e(conne\
ctions)g(from)g fa(arp)m(a)h fg(to)e(the)h(inside)g(network)f(to)1035 1674 y
fe(smtp)p fg(,)k fe(uucp)p fg(,)g fe(named)q fg(,)g(and)f fe(hostname)f fg
(ports.)29 b(And)15 b(he)h(re-)1035 1724 y(jected)11 b(the)f fe(sendmail)g fg
(mailer)g(as)h(too)f(complicated)h(and)f(dan-)1035 1774 y(gerous:)22 b(the)15
b(Upas[1])f(mailer)h(was)h(installed)e(in)g(its)g(place.)1035 1824 y(W)m(e)i
(removed)g(a)h(number)e(of)h(non-essential)f(daemons,)j(in-)1035 1873 y(cludi\
ng)9 b(the)h fe(\256nger)g fg(server)n(.)1139 1946 y(T)m(o)g(give)f(insiders)
f(access)k(to)d(the)g(Internet,)h(a)g fe(gate)f fg(ser-)1035 1996 y(vice)17 b
(was)g(installed)e(on)h fa(arp)m(a)p fg(.)35 b(Insiders)16 b(could)f(call)i
(this)1035 2046 y(service)d(and)f(supply)f(an)i(Internet)e(address.)24 b(The)
14 b(gate)f(con-)1035 2095 y(nected)j(to)e(a)i(socket)f(of)g(a)g(remote)h(Int\
ernet)e(host)g(and)i(then)1035 2145 y(copied)11 b(bytes)f(between)i(the)e(two)
h(connections.)k(It)c(was)g(easy)1035 2195 y(to)f(provide)f fe(atelnet)p fg
(,)i(a)g(version)f(of)g fe(telnet)g fg(that)g(used)h(the)f(gate)1035 2245 y
(service.)29 b fe(Aftp)14 b fg(supplied)g(FTP)h(services:)24 b(it)14 b(was)i
(the)e(stan-)1035 2295 y(dard)c(FTP)h(modi\256ed)f(so)h(both)e(the)h(command)
h(and)g(data)f(con-)1035 2344 y(nections)i(were)i(initiated)d(from)i(the)g
(inside.)21 b(\(The)13 b(standard)1035 2394 y fe(ftp)e fg(would)g(have)h(trie\
d)f(to)g(make)i(the)f(data)g(connection)f(from)1035 2444 y fa(arp)m(a)h fg
(to)f(the)g(inside,)g(a)g(connection)g(prohibited)d(by)j fa(arp)m(a)p fg(')n
(s)1035 2494 y(kernel.\))1139 2566 y(This)d(con\256guration)f(successfully)i
(resisted)f(the)h(Inter-)1035 2616 y(net)g(worm.)14 b(W)m(e)c(ran)f(neither)g
fe(sendmail)f fg(nor)h fe(\256nger)n(d)q fg(,)h(the)f(two)1035 2666 y(program\
s)h(exploited)g(by)g(the)g(worm.[2])g(The)i(internal)d(inter-)1035 2716 y(net)
g(was)g(spared)h(the)e(infection.)13 b(\(Actually)m(,)8 b(there)h(was)h(a)f
(sec-)1929 2917 y(1)g eop bop 0 57 a fg(ond,)14 b(unguarded)f(IP)g(link)f(to)
h(the)g(Outside.)23 b(W)m(e)14 b(got)e(lucky:)0 107 y(only)e(a)i(few)g(machin\
es)h(at)e(the)h(other)e(end)i(knew)g(of)f(the)g(link,)0 157 y(and)16 b(their)
f(machines)h(were)h(shut)e(down)g(before)h(the)f(worm)0 207 y(could)10 b(cree\
p)h(across.\))104 278 y(Had)k fa(arp)m(a)h fg(been)f(infected,)h(the)f(worm)g
(could)f(have)0 328 y(reached)e(the)e(inside)g(machines.)16 b(The)11 b(initia\
l)e fe(smtp)h(sendmail)0 378 y fg(connection)g(was)h(permitted,)f(and)h(the)f
(worm')n(s)g(second)h(con-)0 427 y(nection)d(would)g(have)h(been)h(initiated)
d(from)h(the)h(inside)f(tar)o(get)0 477 y(machine)j(into)e fa(arp)m(a)p fg
(,)j(the)e(permitted)g(direction.)0 587 y fd(2.)42 b(The)10 b(new)h(gateway)
104 666 y fg(All)g(of)h fa(arp)m(a)p fg(')n(s)h(protection)e(has,)i(by)f(desi\
gn,)h(left)e(the)0 716 y(internal)k(A)-5 b(T&T)17 b(machines)f(untested\320a)
f(sort)g(of)g(crunchy)0 766 y(shell)8 b(around)g(a)h(soft,)f(chewy)h(center)n
(.)14 b(W)m(e)8 b(run)g(security)g(scans)0 815 y(on)j(internal)g(machines)i
(and)e(bother)g(system)h(administrators)0 865 y(when)i(holes)g(are)h(found.)
24 b(Still,)14 b(it)f(would)g(be)i(nice)f(to)g(have)0 915 y(a)d(gateway)f(tha\
t)g(is)g(demonstrably)f(secure)i(to)e(protect)h(the)g(in-)0 965 y(ternal)e
(machines.)14 b(For)9 b(peace)h(of)e(mind,)g(the)h(gateway)g(design)0 1015 y
(should)h(not)h(rely)h(on)f(vendors')g(code)h(more)g(than)f(absolutely)0 1065
y(necessary)m(.)31 b(W)m(e)16 b(would)e(like)h(the)g(internal)g(machines)h
(pro-)0 1114 y(tected)e(even)g(if)f(an)g(invader)g(breaks)h(into)e(the)i(gate\
way)f(ma-)0 1164 y(chine,)d(becomes)g(root,)f(and)g(creates)i(and)e(runs)g
(a)g(new)h(kernel.)104 1235 y(W)m(e)h(had)f(to)g(replace)i fa(arp)m(a)p fg
(.)k(The)11 b(V)-5 b(AX)11 b(750)f(ran)g(with)0 1285 y(typical)d(load)g(avera\
ges)i(of)e(seven)h(to)f(twelve)h(jobs)f(throughout)0 1335 y(the)h(day)m(.)14 b
(When)9 b(the)f(load)g(average)h(hit)f(about)f(\256fteen,)j(the)e(old)0 1385 y
(Datakit)13 b(driver)h(expired,)h(wedging)e(the)h(Datakit)f(ports)g(and)0 1435
y(requiring)c(a)h(reboot.)104 1506 y(A)i(new)f(machine)i(gave)f(the)g(opportu\
nit)o(y)d(for)i(a)h(clean)0 1556 y(start.)27 b(W)m(e)16 b(could)e(re-think)f
(the)i(security)f(arrangements)i(to)0 1606 y(improve)10 b(on)g fa(arp)m(a)p fg
(')n(s)h(shortcomings.)104 1677 y(Our)18 b(new)h(gateway)g(machine,)j(named)d
fa(inet)p fg(,)i(is)e(a)0 1727 y(MIPS)7 b(M/120)g(running)e(System)j(V)g(with)
e(Berkeley)h(enhance-)0 1776 y(ments.)35 b(V)-5 b(arious)17 b(daemons)h(and)f
(critical)g(programs)g(have)0 1826 y(been)j(obtained)e(from)h(other)g(sources\
,)k(checked,)g(and)c(in-)0 1876 y(stalled.)104 1947 y(W)m(e)8 b(store)g(nothi\
ng)e(vital)h(or)g(secret)i(on)f fa(inet)p fg(,)g(since)h(we)0 1997 y(assume)
14 b(that)e(it)f(may)i(be)g(defeated)g(in)f(unforeseen)h(ways.)21 b(It)0 2047
y(does)13 b(not)e(currently)g(run)h fe(uucp)p fg(\320systems)g(\256les)h(and)
f(dialers)0 2097 y(could)f(fall)g(into)g(the)h(wrong)f(hands.)18 b(There)13 b
(are)g(few)f(system)0 2146 y(administration)c(accounts,)i(and)g(user)g(accoun\
ts)g(are)g(discour-)0 2196 y(aged.)30 b fa(Inet)15 b fg(is)g(not)g(used)g(for)
g(other)g(tasks.)29 b(It)15 b(is)g(backed)0 2246 y(up)9 b(regularly)m(,)f(and)
h(scanned)h(for)f(unauthorized)e(changes)j(and)0 2296 y(common)k(system)h(adm\
inistration)d(mistakes.)25 b(Though)14 b(we)0 2346 y(don')o(t)9 b(trust)g fa
(inet)p fg(,)i(we)g(protect)e(it)h(as)h(much)f(as)h(we)g(can.)104 2417 y fa
(Inet)17 b fg(has)h(a)f(single)g(Ethernet)g(port)f(which)g(is)h(con-)0 2467 y
(nected)f(to)f(a)h(router)e(on)h(JVNCnet,)i(our)e(external)g(regional)0 2517 y
(network.)j(It)12 b(also)g(has)g(a)h(connection)e(to)h(Datakit.)18 b(W)m(e)13
b(have)0 2566 y(con\256gured)i(our)g(Datakit)f(controller)g(to)h(force)h(all)
f(connec-)0 2616 y(tions)g(from)g fa(inet)h fg(to)f(a)i(single)e(internal)g
(machine,)j(named)0 2666 y fa(r70)p fg(.)d fa(R70)10 b fg(can)h(redial,)g(or)
f(splice)g(connections)g(to)g(other)g(in-)0 2716 y(ternal)f(machines.)15 b fa
(R70)10 b fg(provides)e(a)i(limited)e(set)i(of)f(services)1035 57 y(to)h fa
(inet)g fg(for)g(reaching)h(internal)e(machines.)16 b(The)11 b(list)f(of)g
(ser-)1035 107 y(vices)h(are:)1087 185 y(1.)21 b(connection)9 b(to)h(an)h(app\
roved)e(machine')n(s)i fe(smtp)f fg(port,)1087 295 y(2.)21 b(connection)7 b
(to)g(a)h(login)e(or)i(trusted-login)d(Datakit)i(des-)1139 345 y(tination)13 b
(after)j(passing)g(a)g(challenge-response)g(test,)1139 395 y(and)1087 506 y
(3.)21 b(connection)9 b(to)h(a)h(logging)d(service.)1139 583 y(The)13 b(key)g
(to)f(the)h(arrangement)g(is)g(a)g(restricted)g(chan-)1035 633 y(nel)e(from)g
fa(inet)f fg(to)h fa(r70)p fg(.)16 b(This)11 b(private)f(channel)i(was)f(easi\
ly)1035 683 y(constructed)e(using)f(stock)g(features)i(of)f(our)f(research)j
(Datakit)1035 733 y(controller)n(.)21 b(Other)13 b(connection)f(schemes)j(cou\
ld)d(be)i(imple-)1035 783 y(mented)d(using)f(a)h(simple)g(multiplexed)e(proto\
col)g(over)h(some)1035 832 y(back-to-back)17 b(connection)g(between)h(the)f
(machines,)j(or)e(a)1035 882 y(simple)c(Ethernet)g(would)e(suf)o(\256ce.)27 b
(If)13 b(the)h(last)g(approach)g(is)1035 932 y(used)g(with)f(TCP)-5 b(,)15 b
(the)f(internal)f(machine)i(must)f(supply)f(dif-)1035 982 y(fering)h(TCP)h
(services)h(to)e(its)g(two)g(Ethernet)h(interfaces.)28 b(\(I)1035 1032 y(am)
14 b(not)f(sure)g(this)g(is)g(possible)g(with)f(standard)h(TCP/IP)g(im-)1035
1081 y(plementations.)j(It)11 b(wouldn')o(t)e(be)j(too)e(hard)h(to)g(modify)f
fe(inetd)1035 1131 y fg(to)g(do)g(this.\))1139 1207 y(These)h(functions)e(do)
h(not)g(load)g(the)g(internal)f(machine)1035 1257 y(too)j(much;)j(it)d(could)
h(have)g(other)g(uses)h(like)e fe(uucp)p fg(,)i fe(mail)p fg(,)f(or)1035 1307
y(even)f(normal)f(user)h(jobs.)k(But)11 b(the)g(services)h(it)f(provides)f
(the)1035 1357 y(external)k(machine)h(are)f(the)g(key)g(to)g(security)m(,)h
(and)f(must)g(be)1035 1407 y(protected)c(well.)1035 1531 y fd(3.)42 b(Outboun\
d)10 b(services)1139 1617 y fg(It)h(is)g(quite)f(easy)i(to)f(implement)g(most)
g(outbound)f(ser-)1035 1667 y(vices)g(to)f(the)h(Internet.)j fa(Inet)c fg(has)
i(a)f(small)f(program,)h(named)1035 1717 y fe(pr)n(oxy)k fg(\(a)g(descendant)
f(of)g fa(arp)m(a)p fg(')n(s)h fe(gate)p fg(\),)g(that)f(makes)h(calls)1035
1767 y(to)f(the)h(Internet)f(on)g(behalf)g(of)h(an)g(inside)f(machine)h(and)g
(re-)1035 1816 y(lays)h(bytes)g(between)h(the)f(inside)g(Datakit)f(connection)
h(and)1035 1866 y(the)8 b(outside)f(Internet)h(TCP)g(connection.)13 b fe(Pr)n
(oxy)d fg(can)f(also)f(lis-)1035 1916 y(ten)h(to)f(a)i(non-privileged)d(socke\
t)i(and)g(report)f(connections)h(to)1035 1966 y(an)g(inside)f(process.)15 b
(Several)9 b(outbound)e(services)j(are)g(imple-)1035 2016 y(mented)h(using)f
fe(pr)n(oxy)p fg(,)i(and)f(more)g(are)g(easy)h(to)e(create.)16 b(In)10 b(all)
1035 2065 y(cases,)18 b(it)c(appears)i(to)f(the)f(remote)i(Internet)e(hosts)g
(that)h(our)1035 2115 y(gateway)c(machine)g(is)f(making)g(the)g(calls.)1139
2191 y fa(Inet)h fg(may)g(be)h(reached)g(over)e(the)h(Datakit.)16 b(But)10 b
(how)1035 2241 y(do)18 b(internal)g(machines)h(reach)h fa(inet)e fg(over)h
(the)f(Ethernet?)1035 2291 y fa(R70)f fg(responds)g(to)f(two)h(IP)g(addresses\
:)28 b(its)16 b(own,)j(and)e(an)1035 2341 y(internal)f(IP)h(address)g(for)g fa
(inet)p fg(.)34 b(\(Dave)17 b(Presotto)g(imple-)1035 2391 y(mented)d(this)e
(after)i(a)g(trivial)e(change)i(to)f(the)g(T)m(enth)h(Edition)1035 2440 y(Res\
earch)j(Unix)e(connection)g(server)n(.[3]\))h(Calls)f(to)g(certain)1035 2490 y
(TCP)8 b(ports)e(on)h(this)f(internal)g(IP)i(address)g(invoke)e fe(dcon)p fg
(,)i(a)g(pro-)1035 2540 y(gram)i(that)e(simply)h(relays)g(the)h(bytes)f(betwe\
en)g(the)h(TCP)f(port)1035 2590 y(and)h(Datakit)g(connections)g(on)f fa(inet)
p fg(.)1139 2666 y(I)g(have)h(replaced)h(the)e(old)g fe(aftp)f fg(and)h fe
(atelnet)g fg(with)g fe(ptel-)1035 2716 y(net)14 b fg(and)g fe(pftp)p fg(.)24
b(They)15 b(work)e(in)h(the)f(same)j(manner)n(,)g(but)d(the)g eop bop 0 57 a
fg(new)9 b(routines)e(call)i(a)g(portable)f(implementation)f(of)h fe(ipcopen)
p fg(,)0 107 y(a)k(piece)g(of)e(the)i(connection)e(server)n(.)17 b fe(Ipcopen)
11 b fg(hides)g(the)g(de-)0 157 y(tails)h(of)g(a)g(connection)g(\(TCP)g(socke\
ts)h(or)f(Datakit\),)g(simpli-)0 207 y(fying)d(the)h(application)f(program.)
14 b(For)c(example:)0 280 y fc(ptelnet)24 b(tcp!toucan)0 352 y fg(connects)11
b(to)e(machine)i fa(toucan)h fg(on)d(our)h(internet,)g(and)0 425 y fc(ptelnet)
24 b(proxy!ernie.berkeley.edu)0 498 y fg(connects)10 b(to)g fa(ernie.berkeley\
.edu)j fg(on)d(the)g(external)g(In-)0 548 y(ternet.)k fc(proxy!)f fg(is)c(the)
h(default.)j(The)e fe(ipcopen)e fg(implemen-)0 598 y(tation)f(is)i(not)f(\257\
awless:)k(some)e(socket)f(features)g(such)g(as)g(out-)0 647 y(of-band)e(data)
h(and)g(the)g(ur)o(gent)f(pointer)g(are)h(missing)g(because)0 697 y(they)h
(are)h(not)e(supported)g(by)h(Datakit.)j fe(Ptelnet)d fg(was)h(stripped)0 747
y(down)f(to)f(avoid)h(these)h(features.)104 820 y fe(Pftp)f fg(provides)h(FTP)
h(access)h(in)e(a)h(similar)f(manner)n(.)18 b(It)0 870 y(is)11 b(an)h(updated)
g(version)f(of)g fe(aftp)f fg(from)i fa(arp)m(a)p fg(.)19 b(The)13 b fe(ipcop\
en)0 920 y fg(routines)c(allow)h(it)f(to)h(work)g(over)g(Datakit.)104 992 y
(Outgoing)h(mail)i(is)h(sent)f(to)g fa(inet)g fg(via)g fe(smtp)g fg(over)g
(ei-)0 1042 y(ther)c(Datakit)g(or)g(the)g(internal)g(Internet.)k(It)c(is)g
(stored)g(and)h(for-)0 1092 y(warded)16 b(from)f(there.)29 b(Upas)15 b(perfor\
ms)g(the)h(mail)f(gateway)0 1142 y(functions.)0 1254 y fd(4.)42 b(Inbound)10 b
(services)104 1335 y fg(W)m(e)f(provide)f(incoming)g(login)g(and)h(mail)g(ser\
vice.)14 b(For)0 1385 y(incoming)j(\256le)h(transfer)n(,)j fa(inet)c fg(provi\
des)g(an)i(anonymous)0 1435 y(FTP)11 b(service.)104 1508 y(W)m(e)17 b(do)g
(not)f(trust)g(our)g(passwords)h(to)g(the)f(Internet:)0 1558 y(it)g(is)g(too)
g(easy)h(to)f(eavesdrop)h(or)g(steal)f(packets.)34 b(See)18 b([4)o(])0 1607 y
(for)11 b(a)h(discussion)e(of)h(these)h(security)f(problems.)17 b(Login)11 b
(ser-)0 1657 y(vice)j(requires)g(a)g(hand-held)f(authenticator)g(\(HHA\).)h
(These)0 1707 y(are)h(calculator)o(-sized)g(devices)g(that)f(contain)g(DES)h
(encryp-)0 1757 y(tion)8 b(and)i(a)g(manually-loaded)f(64-bit)f(key)m(.)14 b
(They)c(cost)g(about)0 1807 y($50.)104 1879 y(Inbound)f(login)f(service)j(is)
g(provided)e(through)f(an)j(au-)0 1929 y(thentication)i(manager)j(on)f fa(r70)
p fg(.)29 b(A)15 b(session)g(is)g(shown)g(in)0 1979 y(\256gure)10 b(1.)k(T)m
(o)d(connect,)g(the)f(following)e(sequence)j(occurs:)64 2052 y ff(\267)21 b fg
(The)13 b(Internet)f(caller)i(uses)f fe(telnet)g fg(to)f(connect)h(to)f fa
(re-)104 2102 y(sear)o(ch.a)m(tt.com)i fg(\(a.k.a)h fa(inet)p fg(\))f(via)f fe
(telnet)p fg(.)24 b(The)104 2152 y(login)9 b(name)i(is)f fc(guard)p fg(.)64
2257 y ff(\267)21 b fg(The)13 b fc(guard)e fg(login)g(connects)h(to)g(the)g
(authentication)104 2306 y(manager)h(on)g fa(r70)f fg(over)h(the)f(Datakit.)
21 b(It)12 b(spends)g(the)104 2356 y(rest)e(of)g(the)g(connection)f(relaying)
g(bytes)h(between)g(the)104 2406 y(two)f(connections.)64 2511 y ff(\267)21 b
fg(The)8 b(authentication)e(manager)j(on)f fa(r70)g fg(requests)g(a)g(lo-)104
2561 y(gin)h(name.)64 2666 y ff(\267)21 b fa(R70)16 b fg(sends)g(a)h(random)f
(challenge)g(number)n(,)j(which)104 2716 y(the)10 b(caller)g(supplies.)1099 57
y ff(\267)21 b fg(The)11 b(user)f(enters)h(the)f(challenge)g(into)f(his)h(HHA\
.)1099 168 y ff(\267)21 b fg(The)e(HHA)g(encrypts)f(the)h(challenge)f(using)g
(a)h(pre-)1139 217 y(loaded)10 b(DES)h(key)m(,)g(and)f(displays)f(the)h(respo\
nse.)1099 328 y ff(\267)21 b fg(The)10 b(user)g(types)g(the)g(response.)k(He)
c(has)g(three)g(tries)g(to)1139 377 y(answer)g(a)g(challenge)f(correctly)m
(,)h(and)f(is)g(disconnected)1139 427 y(if)h(he)g(fails.)1099 538 y ff(\267)
21 b fg(The)10 b(authorization)e(manager)j(prompts)e(for)g(a)i(Datakit)1139
587 y(destination.)1099 698 y ff(\267)21 b fg(When)8 b(the)g(user)g(enters)g
(the)f(destination,)g(the)h(manager)1139 747 y(sends)17 b(a)h(redial)e(reques\
t)h(to)g(the)f(Datakit)h(controller)1139 797 y(with)6 b(the)i(given)f(destina\
tion)f(and)i(a)g(service)h(of)e(`dcon'.)1139 847 y(For)14 b(machines)h(that)f
(trust)f fa(r70)p fg(,)j(the)f(`dcon')e(service)1139 897 y(bypasses)h(further)
f(logins)f(and)i(avoids)f(further)g(pass-)1139 947 y(words.)1099 1057 y ff
(\267)21 b fg(The)d(redial)f(request)g(transfers)h(the)f(call,)j(switching)
1139 1107 y fa(r70)15 b fg(out)f(of)h(the)g(connection.)27 b(In)15 b(non-Data\
kit)e(im-)1139 1157 y(plementations,)e fa(r70)g fg(would)f(probably)g(have)h
(shuttle)1139 1206 y(bytes)f(between)g(the)h(two)e(connections.)1139 1283 y
(Each)19 b(user)f(requires)g(a)g(DES)h(key)m(,)h(and)e(keys)h(have)1035 1333 y
(an)14 b(expiration)f(date.)26 b(The)15 b(keys)f(are)h(stored)f(on)f(a)i(sepa\
rate)1035 1383 y(passwd/key)7 b(server)h(machine)g(connected)f(to)g fa(r70)p
fg(.)13 b(The)8 b(keys)1035 1433 y(in)g(this)h(machine)g(may)h(be)f(changed)h
(or)f(examined)g(only)f(from)1035 1483 y(its)i(console.)1139 1559 y(Inbound)e
(mail)h(is)h(delivered)f(directly)f(to)h fa(inet)p fg(.)14 b fa(Inet)1035 1608
y fg(checks)d(the)e(destination.)j(If)d(it)g(is)h(a)g(trusted)e(machine)j(\(i\
.e.)j(its)1035 1658 y fe(smtp)c fg(is)h(trusted\),)g(a)g(connection)f(request)
h(is)g(sent)g(to)f fa(r70)p fg(.)16 b(If)1035 1708 y(not,)e(the)g(mail)g(is)g
(relayed)g(through)f(an)h(accessible)h(internal)1035 1758 y(machine.)21 b fa
(R70)13 b fg(will)e(permit)g(connections)h(only)f(to)h(trusted)1035 1808 y fe
(smtp)i fg(implementations.)24 b(The)15 b(list)e(is)h(short)g(because)h(most)
1035 1857 y(internal)9 b(machines)i(run)f fe(sendmail)p fg(.)1035 1981 y fd
(5.)42 b(Pr)o(otecting)11 b(INET)1139 2066 y fg(The)k(preceding)f(precautions)
g(might)f(imply)h(that)g(we)1035 2116 y(expect)f(our)f(gateway)h(to)f(be)h
(compromised)g(at)g(some)g(point.)1035 2166 y(In)8 b(fact,)h(we)g(are)h(takin\
g)d(great)h(pains)g(to)g(protect)g(the)g(machine,)1035 2215 y(including)14 b
(the)i(usual)g(good)g(system)h(administration)d(steps)1035 2265 y(needed)8 b
(to)f(secure)h(any)f fa(Unix)h fg(system[5]:)j(directory)c(and)g(\256le)1035
2315 y(permissions)j(are)h(checked,)h(backups)f(performed)f(regularly)m(,)
1035 2365 y(etc.)1139 2441 y(W)m(e)19 b(have)g(taken)f(some)h(steps)g(to)f
(avoid)f(denial-of-)1035 2491 y(service)g(attacks.)31 b(For)16 b(example,)i
(the)e(logs,)h(the)f(spool)f(di-)1035 2540 y(rectory)m(,)10 b(and)g(the)f(pub\
lically-accessible)g(FTP)i(directory)d(are)1035 2590 y(each)i(on)f(separate)i
(\256le)e(systems.)14 b(If)9 b(a)h(stranger)f(\256lls)g(the)g(pub-)1035 2640 y
(lic)h(FTP)h(directory)m(,)f(there)g(is)g(still)f(room)h(for)g(the)g(logs.)
1139 2716 y(Here)h(are)g(some)g(other)f(steps)g(taken:)g eop bop 498 52 a fc
($)25 b(telnet)f(research.att.com)498 102 y(Trying...)498 152 y(Connected)g
(to)h(research.att.com.)498 202 y(Escape)f(character)h(is)f('^]'.)498 351 y
(RISC/os)g(\(inet\))498 451 y(login:)g(guard)498 500 y(RISC/os)g(\(UMIPS\))h
(4.0)f(inet)498 550 y(Copyright)g(1986,)h(MIPS)f(Computer)g(Systems)498 600 y
(All)h(Rights)f(Reserved)498 650 y(Security)g(Authentication)g(check)498 750 y
(login:)g(ches)498 799 y(Enter)h(response)f(code)g(for)h(90902479:)f(818b71fe)
498 899 y(Destination)g(please:)g(coma)498 949 y(OKYou)h(have)f(mail.)498 999
y(coma=;)g(date)498 1048 y(Tue)h(Nov)f(14)h(10:52:37)f(EST)h(1989)498 1098 y
(coma=;)498 1148 y(Eof)498 1198 y(Connection)f(closed)g(by)h(foreign)f(host.)
498 1248 y($)558 1347 y fg(Figure)10 b(1:)j(A)d(connection)g(session)g(throug\
h)f(the)h(guard.)64 1481 y ff(\267)21 b fg(All)7 b(the)h(important)f(executab\
le)i(\256les)g(are)g(periodically)104 1531 y(checksummed)j(and)e(checked)h
(for)f(changes.)64 1638 y ff(\267)21 b fg(Most)11 b(user)h(accounts)g(do)f
(not)g(have)h(passwords)g(to)f(be)104 1688 y(checked.)21 b(They)13 b(obtain)e
(permission)g(to)h(login)e(based)104 1738 y(on)g(the)g(source)g(of)g(the)h
(call.)64 1845 y ff(\267)21 b fg(Non-essential)d(network)h(daemons)h(have)f
(been)h(re-)104 1895 y(moved:)13 b(we)e(don')o(t)e(need)i(to)f(trust)f(them.)
64 2002 y ff(\267)21 b fe(Inetd\(8\))14 b fg(handles)h(all)g(network)g(connec\
tions.)28 b(Cer-)104 2052 y(tain)11 b(modi\256cations)g(allow)g fe(telnetd)q
fg(,)g fe(smtpd)q fg(,)h(and)f fe(ftpd)104 2102 y fg(to)f(run)g(without)f(spe\
cial)i(permissions:[5)o(])f fe(inetd)h fg(han-)104 2152 y(dles)f(the)g(privil\
eged)f(stuf)o(f.)64 2259 y ff(\267)21 b fg(There)8 b(is)g(extensive)f(logging)
f(of)h(network)f(activity)m(,)i(in-)104 2309 y(cluding)i(connection)i(and)g
(login)e(attempts.)19 b(A)12 b(write-)104 2359 y(only)g(log)g(server)i(is)f
(planned)g(that)f(will)g(keep)i(a)f(copy)104 2409 y(of)c(these)h(logs)f(of)o
(f-machine)g(and)h(inaccessible)g(to)f(any)104 2458 y(network.)64 2566 y ff
(\267)21 b fg(Since)15 b(the)f(network)g(daemons)h(are)h(so)f(important)e(to)
104 2616 y(the)e(security)h(of)f(the)h(machine,)h(we)f(obtained)f(the)h(lat-)
104 2665 y(est)7 b(BSD)g(versions)f(and)h(examined,)h(modi\256ed,)g(and)f(in-)
104 2715 y(stalled)j(them.)1035 1481 y fd(6.)42 b(Gateway)10 b(alternatives)
1139 1567 y fg(There)16 b(are)f(several)h(much)f(simpler)f(alternatives)h(for)
1035 1617 y(an)h(Internet)f(gateway)m(.)31 b(The)17 b(simplest)e(is)g(a)i(rou\
ter)n(,)g(which)1035 1667 y(just)7 b(lets)g(the)h(packets)g(through.)j(Some)d
(routers,)g(like)f(Cisco')n(s,)1035 1716 y(provide)j(packet)i(\256ltering)e
(that)h(can)h(block)f(various)f(types)h(of)1035 1766 y(access)h(to)e(an)h(ins\
titutio)o(n.)1139 1843 y(W)m(e)d(did)e(not)h(choose)h(the)f(router)n(.)12 b
(Though)7 b(the)h(\256ltering)1035 1892 y(is)g(quite)f(good,)i(it')n(s)e(not)
g(clear)i(whether)f(a)h(clever)g(worm)f(could)1035 1942 y(get)f(through)f(the)
i(permitted)f(ports.)12 b(Can)7 b(we)i(trust)d(the)h(router?)1035 1992 y(If)k
fe(telnet)g fg(access)j(is)d(allowed)g(from)g(the)h(outside,)f(inside)f(ma-)
1035 2042 y(chines)f(are)g(exposed)g(to)f(password-guessing)f(attacks.)14 b
(If)9 b fe(tel-)1035 2092 y(net)i fg(access)j(is)d(not)f(allowed,)h(an)h(alte\
rnative)e(is)h(needed)h(any-)1035 2141 y(way)m(,)k(requiring)c(additional)g
(provisions.)24 b(The)15 b(router)e(does)1035 2191 y(not)h(provide)f(logging)
f(to)i(detect)h(invasion)e(attempts.)27 b(And)1035 2241 y(mail)8 b(gating)g
(must)g(be)h(provided)e(by)h(a)h(machine)g(somewhere:)1035 2291 y(it)g(is)h
(unreasonable)g(to)f(expect)h(each)h(internal)e(machine)i(to)e(be)1035 2341 y
(con\256gured)14 b(to)h(handle)f(all)h(the)f(varieties)h(of)g(external)f(mail)
1035 2390 y(addressing.)1139 2467 y(Many)f(Internet)g(sites)h(use)g(a)g(gatew\
ay)g(machine)h(like)1035 2517 y(a)k(Sun.)38 b(These)19 b(machines)g(forward)f
(IP)h(packets)f(in)g(both)1035 2566 y(directions,)f(and)f(provide)f(a)i(mail)
f(gateway)h(service.)32 b(The)1035 2616 y(packet)12 b(\257ow)f(is)h(still)d
(dangerous,)j(though)e(\256ltering)g(is)h(avail-)1035 2666 y(able.)26 b(Many)
14 b(internal)f(machines)i(may)g(trust)e(the)h(gate)g(ma-)1035 2716 y(chine,)
c(leaving)e(them)i(further)e(exposed)h(if)g(the)g(gate)g(machine)g eop bop 0
57 a fg(is)10 b(compromised.)0 168 y fd(7.)42 b(Performance)104 249 y fg(The)
8 b(mail)g(throughput)d(of)j(the)g(new)g(gateway)g(has)h(been)0 299 y(gratify\
ing,)d(though)g(a)i(V)-5 b(AX)7 b(750)g(is)g(an)h(easy)g(act)g(to)e(follow)m
(.)12 b(In)0 348 y(many)g(cases,)i(we)f(have)f(had)g(replies)f(to)g(cross-cou\
ntry)g(mail)0 398 y(return)c(in)h(less)h(than)f(a)g(minute.)13 b(It)8 b(somet\
imes)h(seems)h(that)d(the)0 448 y(mail)i(must)h(have)g(bounced.)k fa(Inet)9 b
fg(has)h(little)e(else)i(to)f(do,)h(and)0 498 y(a)h(MIPS)f(M/120)f(is)h(a)h
(fast)f(machine.)104 570 y fe(Pftp)g fg(transfers)h(are)h(fastest)g(over)f
(Datakit,)g(since)h(they)0 620 y(avoid)j(the)g fe(dcon)h fg(gateway)g(in)f fa
(r70)p fg(.)30 b(File)15 b(transfers)h(range)0 670 y(from)c(17)g(to)g(44)g
(Kb/sec.)20 b(TCP)13 b(transfers)f(through)e fa(r70)j fg(run)0 719 y(at)i(9)g
(to)f(16)g(Kb/sec.)28 b(By)15 b(comparison,)23 b fe(ftp)13 b fg(on)i fa(inet)
g fg(runs)0 769 y(at)e(about)f(60\26190)g(Kb/sec.)23 b(Clearly)m(,)13 b(secur\
ity)g(has)g(its)g(costs.)0 819 y(But)g(these)i(are)g(top)e(speeds.)26 b(The)
15 b(limiting)d(factor)i(is)g(often)0 869 y(the)c(external)g(net)h(or)f(host.)
j(In)d(any)h(case,)h(several)f(users)g(have)0 919 y(expressed)g(satisfaction)
f(about)f(the)h(throughput.)0 1030 y fd(8.)42 b(Conclusions)104 1110 y fg(The)
17 b(new)f(gateway)h(achieves)g(a)g(useful)f(balance)h(of)0 1160 y(utility)e
(and)j(security)m(.)37 b(Most)17 b(internal)g(users)h(seem)i(to)d(be)0 1210 y
(happy)10 b(with)g fe(pftp)f fg(and)i fe(ptelnet)p fg(.)k(Some)d(have)f(asked)
g(for)g fe(talk)q fg(,)0 1259 y(resolver)f(service)g(and)g(other)f(UDP-based)
h(protocols.)j(These)0 1309 y(could)c(be)i(provided)e(with)g(non-)p fe(pr)n
(oxy)h fg(services)h(on)e fa(inet)h fg(ac-)0 1359 y(cessible)h(through)d(Data\
kit.)104 1431 y(There)k(are)g(certainly)f(limits)f(to)h(our)g(security)m(.)18
b(If)11 b fa(r70)0 1481 y fg(and)i fa(inet)h fg(are)g(subverted,)g(the)f(insi\
de)g(machines)h(could)f(be)0 1531 y(attacked.)104 1603 y(Insiders)d(can)i(eas\
ily)f(import)e(trouble)h(such)h(as)h(T)o(rojan)0 1653 y(horses)g(or)f(program\
s)g(infected)g(with)f(viruses.)18 b(Our)11 b(best)g(de-)0 1703 y(fense)f(is)f
(continued)f(scanning)g(of)h(internal)f(machines)i(for)f(se-)0 1752 y(curity)
g(holes)h(in)g(case)i(such)e(a)h(program)f(gets)g(loose.)104 1824 y(There)15 b
(is)f(now)g(a)h(second)f(A)-5 b(T&T)16 b(internet)d(gateway)m(.)0 1874 y(Its)
f(con\256guration)g(is)g(similar)g(to)g fa(inet)p fg(')n(s.)21 b(These)14 b
(two)e(front)0 1924 y(doors)c(provide)f(reasonable)i(security)f(to)g(an)h(iso\
lated)e(internal)0 1974 y(internet.)21 b(But)12 b(A)-5 b(T&T)14 b(is)f(a)g
(lar)o(ge)g(company)m(,)i(so)e(we)g(keep)h(a)0 2024 y(constant)9 b(watch)h
(to)f(assure)i(that)e(no)h(other)f(links)f(are)j(made)g(to)0 2074 y(the)h(ext\
ernal)h(Internet.)20 b(A)13 b(locked)g(front)e(door)h(is)g(useless)i(if)0 2123
y(the)c(back)h(wall)f(of)g(the)g(house)g(is)g(missing.)104 2195 y(The)k(incom\
ing)f(guarded)h fe(telnet)g fg(service)g(is)g(not)f(per-)0 2245 y(fect.)22 b
(The)13 b(remote)g fe(telnet)f fg(may)i(be)f(insecure,)h(and)e(the)h(TCP)0
2295 y(connection)k(itself)g(could)h(be)g(stolen)f(after)h(login)f(is)h(com-)
0 2345 y(plete.)37 b(Most)18 b(internal)f(A)-5 b(T&T)19 b(machines)g(do)f(not)
f(accept)0 2395 y fa(r70)p fg(')n(s)9 b(judgement)g(that)f(the)h(user)h(is)f
(valid,)g(and)g(require)g(their)0 2444 y(own)i(login)e(passwords.)17 b(These)
12 b(passwords)g(travel)e(over)h(the)0 2494 y(Internet)e(in)h(the)g(clear)n
(.)104 2566 y(Our)e(solution)e(does)j(have)f(some)i(drawbacks.)k(W)m(e)8 b
(rely)0 2616 y(on)13 b(two)h(machines)g(and)g(Datakit)f(to)h(keep)g(things)e
(working.)0 2666 y(This)d(yields)g(three)g(points)f(of)g(failure,)i(while)e
(the)h(simpler)g(ap-)0 2716 y(proaches)g(have)h(\(in)d(some)j(sense\))f(only)
f(one)h(point)e(of)h(failure.)1035 57 y(The)j(use)g(of)e(TCP-level)h(gateways)
h(does)g(lower)e(throughput.)1035 107 y(Though)h(most)g(users)h(seem)h(to)e
(be)g(content)g(with)f(the)i fe(pftp)e fg(re-)1035 157 y(sponse,)i(it)e(would)
g(be)i(nice)f(to)g(speed)h(it)e(up)h(some.)1139 229 y fd(This)j(paper)i(is)f
(not)g(an)g(invitation)d(to)j(come)1139 279 y(test)k(the)g(security)g(of)f
(our)h(gateway)n(.)35 b(It)18 b(is)1139 328 y(management')n(s)9 b(policy)f
(to)h(call)g(the)h(authori-)1139 378 y(ties)g(when)h(intruders)g(ar)o(e)h(det\
ected.)1035 480 y(9.)42 b(Acknowledgements)1139 555 y fg(Many)13 b(people)g
(have)h(contributed)e(to)g(the)h(support)f(of)1035 605 y(these)17 b(gateways.)
35 b(Steve)17 b(Bellovin)e(did)h(most)h(of)g(the)f(ini-)1035 655 y(tial)j(wor\
k)h(to)f(get)h fa(arp)m(a)h fg(talking)e(to)g(the)h(ARP)l(Anet)g(and)1035 705
y(Datakit.)g(Dave)13 b(Presotto)f(has)h(supplied)e(much)i(of)g(the)f(soft-)
1035 755 y(ware)f(and)e(most)h(of)f(the)h(paranoia)g(to)f(provide)g(a)h(secur\
e)h(gate-)1035 804 y(way)m(.)20 b(Howard)12 b(T)o(rickey)g(implemented)g(earl\
ier)h(versions)e(of)1035 854 y fe(ptelnet)d fg(and)g fe(pftp)p fg(.)k(Dennis)
d(Ritchie)e(has)i(kept)f(a)h(watchful)e(eye)1035 904 y(and)12 b(stepped)g(in)
g(when)g(things)e(broke.)19 b(Steve)13 b(Bellovin)d(and)1035 954 y(others)i
(have)g(provided)f(numerous)h(suggestions)f(and)h(warn-)1035 1004 y(ings)k
(on)g(various)g(networking)e(and)j(security)f(topics.)32 b(Jim)1035 1053 y
(McKie)11 b(ported)e(many)i(useful)e(Research)j(Unix[6)n(])e(functions)1035
1103 y(and)g(the)h(INCON)e(Datakit)h(driver)g(to)g(our)f(MIPS)i(computers,)
1035 1153 y(making)f(life)g(much)g(easier)h(for)f(me.)1035 1254 y fd(Refer)o
(ences)1148 1322 y fg([1])20 b(David)13 b(Presotto.)g fe(Upas)g(-)g(a)g(simpl\
er)g(appr)n(oach)1217 1372 y(to)f(network)f(mail.)h fg(USENIX)g(Summer)h(Conf\
er-)1217 1421 y(ence)e(Proceedings,)g(pps.)f(533\261538,)e(June)j(1985.)1148
1518 y([2])20 b(Donn)10 b(Seeley)m(.)j fe(A)e(T)l(our)g(of)f(the)h(W)l(orm.)g
fg(USENIX)1217 1568 y(W)n(inter)f(Conference)h(Proceedings,)g(Jan.)g(1989.)
1148 1665 y([3])20 b(David)e(Presotto)g(and)g(Dennis)h(Ritchie.)e fe(Inter-)
1217 1715 y(pr)n(ocess)10 b(Communication)d(in)h(the)h(Ninth)e(Edition)1217
1764 y(UNIX)13 b(System.)h fg(Unix)f(Programmer)r(')n(s)g(Manual,)1217 1814 y
(T)m(enth)d(Edition.)f(A.)i(G.)f(Hume)h(and)f(M.)h(D.)f(McIl-)1217 1864 y(roy)
m(,)i(Editors.)e(A)-5 b(T&T)13 b(Bell)d(Laboratories,)i(Mur-)1217 1914 y(ray)
f(Hill,)e(NJ.)i(1990.)1148 2011 y([4])20 b(Bellovin,)26 b(S.M.)e fe(Security)
g(Pr)n(oblems)g(in)f(the)1217 2060 y(TCP/IP)14 b(Pr)n(otocol)f(Suite.)h fg
(Computer)e(Commu-)1217 2110 y(nications)c(Review)m(,)i(V)-5 b(ol.)9 b(9,)g
(No.)g(2;)g(April,)g(1989,)1217 2160 y(pps.)i(32\26148.)1148 2257 y([5])20 b
(Dennis)8 b(M.)h(Ritchie.)f fe(On)h(the)f(Security)h(of)f(UNIX.)1217 2307 y fg
(Unix)j(Programmer)r(')n(s)h(Manual,)h(T)m(enth)f(Edition.)1217 2356 y(A.)19 b
(G.)f(Hume)h(and)f(M.)g(D.)h(McIlroy)m(,)h(Editors.)1217 2406 y(A)-5 b(T&T)17
b(Bell)d(Laboratories,)j(Murray)e(Hill,)h(NJ.)1217 2456 y(1990.)1148 2553 y
([6])k(Unix)11 b(Programmer)r(')n(s)h(Manual,)h(T)m(enth)f(Edition,)1217 2603
y(V)-5 b(olumes)10 b(One)h(and)g(T)m(wo.)g(A.)h(G.)f(Hume)g(and)g(M.)1217 2652
y(D.)16 b(McIlroy)m(,)g(Editors.)e(A)-5 b(T&T)17 b(Bell)d(Laborato-)1217 2702
y(ries,)d(Murray)f(Hill,)f(NJ.)i(1990.)g eop eos @end