Internet security?

[Ed Vielmetti]

In article <1991Apr18.010503.28085 at pa.dec.com> mogul at pa.dec.com (Jeffrey Mogul) writes:

   Not precisely the same thing, but Ultrix 4.2 will include the "screend"
   program.  If you use an Ultrix system as a router, screend will allow
   you to control access at the router (instead of at the end system).  This
   is more convenient when you are dealing with a large collection of hosts
   that have to be protected.

   For more information, see my paper in Proc. USENIX Summer '89, or wait
   for the documentation on the Ultrix 4.2 kit.

I would bet that the software in
	decuac.dec.com:/public/sources/screend.tar.Z 
would give you a taste of what's in 4.2, though from looking at the
package it's a beta version rather than final product.  

If you don't have the USENIX Summer '89 proceedings, the papers in
this package (or at least the preprint is).  It would appear that it
might also be available by mail to "wrl-techreports at decwrl.dec.com";
send a message with the subject "help" for more instructions.  The
paper is "Simple and Flexible Datagram Access Controls for Unix-based
Gateways", March 1989.

Note that port-based router security doesn't help you anything if you
have evil people on the inside connecting to their accomplices
outside; even the most innocuous of "well-known ports" can be hijacked
to use to tunnel datagrams through.  I don't recall the exact
reference, but I believe something along these lines was presented at
a Usenix by some Bell Labs folks, the name "greyer" (instead of
"blacker") comes to mind.

-- 
 Msen	Edward Vielmetti
/|---	moderator, comp.archives
	emv at msen.com

"With all of the attention and publicity focused on gigabit networks,
not much notice has been given to small and largely unfunded research
efforts which are studying innovative approaches for dealing with
technical issues within the constraints of economic science."  
							RFC 1216