Questions and Answers
Well, yet again an attack from the cracker community
has made the
news. Toward the end of January, the New York Times
article that was picked up by many other newspapers.
The story told
of a "new" kind of attack which left firewalls
However, this "news" is really "same
old, same old,"
since this kind of attack has been known for a long
time. Robert T.
Morris wrote a paper about it back in 1985, and Steve
about it in 1989 (this paper is available from many
the COAST security archives via anonymous ftp from coast.cs.purdue.edu,
other words, this kind of attack has been possible for
over ten years,
but a very recent increase in the number of attacks
is the reason
for the CERT (CA-95:01, January 23, 1995: "IP Spoofing
and Hijacked Terminal Connections") and CIAC advisories
Advisory F-08: "IP Address Spoofing and Hijacked
As mentioned above, the newspaper article reported that
are defenseless against these attacks. In reality, any
firewall will not be vulnerable; unfortunately, however,
are connected to the Internet through either homegrown,
firewalls or, in many cases, no firewall at all. Such
sites are vulnerable
to many kinds of attacks, but might not know that their
The primary attack uses IP sequence number spoofing,
with fake source addresses in the packets. Unfortunately,
advisory was very vague and somewhat misleading, in
that it made many
people think that the problem was related to source
can of worms waiting on the sidelines). It would have
been very useful
if the CERT advisory had given a clear description of
on the other hand, in a country where suing each other
is the favorite
pastime, it is difficult to fault them for being careful.
In any case, a firewall which completely blocks any
packet for the
shell port (514) appears to be safe from this specific
kind of attack.
A firewall which can block all packets to or from the
will be better. The best firewall design for withstanding
of attack is probably one based on a combination of
routers and a
bastion host with application proxies, such as SOCKS
[Editor's note: See Chris Hare's "Network Construction:
a Firewall" on page 8 of this issue for an extended
Enough about security for now (even though we really
never get enough).
The next system administration conference is coming
up in April, this
time the System Administration, Networking and Security
(SANS). The conference takes place in Washington, DC,
Since I have been receiving more e-mail about conferences
related tutorials than about anything else I address
in this column,
I have included a short description of the SANS tutorials
in the sidebar.
For more information about the SANS conference, call
Our file server has six disk drives all connected
one SCSI controller. Now our hardware support person
has told me that
I should not attach that many drives to a single controller.
Depending on the usage pattern of your machine, he
be. In my experience, about four active disk drives
on a SCSI bus
appear to occupy the bus full time. More active drives
and the bus starts to be a bottleneck. The keyword here
If, for example, you use one or more drives to keep
old sources around
for reference and those drives are rarely accessed,
then they will
not have much effect on the performance of the SCSI
bus. Based on
the information above, it sounds like a second controller
you a better overall performance. However, you will
also need to look
at the other components of the system, as you will need
to evaluate if the bottleneck is truly where you think
it is. For
example, if your CPU is also maxed out, or if it does
not have enough
memory (both can be checked with vmstat), then adding
second controller will have little or no effect.
I work at a small site, where we get our electronic
over UUCP. I recently read about a utility which allows
as ours to send and receive mail, using SMTP across
a UUCP link. What
kind of software is needed to accomplish this, and where
can I get
What you are referring to is known as Batched SMTP
BSMTP. Using this strategy, e-mail is queued up via
the standard SMTP
command language, but instead of connecting to the remote
TCP, commands and data are stored into a text file,
which is then
queued up for transmission with UUCP. The trick is that
site must be able to receive and understand the e-mail
in this format.
If you are using smail3 (which in my opinion is the
for a UUCP site), you are halfway there, since it already
BSMTP. However, if the remote site does not run smail
not support the BSMTP program (which can receive batched
you are out of luck. I recommend that you implement
BSMTP, as it provides
a much better mail transfer protocol than native UUCP.
UUCP will still
provide the underlying transport mechanism, but it will
be involved in the e-mail address resolution. Gone will
be the bang-addresses
and the munged e-mail headers.
I have been told that ftp is difficult to handle
in a firewall. Why is that the case?
The person who told you this was probably thinking
how ftp uses both a control connection and a data connection,
and how this can create problems for router-based firewalls.
this requires looking at how ftp transfers files.
The control connection is established first, in the
The server listens to the well-known port for ftp (21).
the client wants to connect to the server, it will connect
port. This connection will stay up for the duration
of the ftp
session, independent of whatever commands are executed.
Each time a file is to be transferred between the two
data connection will be opened, and the file will be
this connection. The problem is that the client chooses
a random port
to use for the data transfer. It then listens to the
and also sends that port number to the server, via the
The server then connects to that port for the duration
of the transfer.
The problem, with respect to firewalls, is that you
do not know which
port will be used. Proxy-based firewalls do not have
because the proxy software understands the underlying
a firewall which depends heavily on filtering routers
may have such
problems, even though the filtering capabilities of
the routers are
being increased all the time.
You have previously described how to set up a split
server, using one name server on the firewall and one
on the inside. We use NIS internally, and I would like
to avoid having
an inside name server. Is there a way to do this?
If your internal hosts need to be able to resolve the
names and addresses of hosts on the Internet, you will
have to bite
the bullet, and either convert to using the name server,
or set up
a DNS tunnel for NIS (which is now much easier than
it was a few years
ago). However, if your firewall is of a type (as, for
TIS FIrewall tool kit) where the inside hosts connect
to the firewall
machine, which in turn connects to the Internet, you
have a reasonable
You'll need to acquire a version of the resolver which
will also use
/etc/hosts for host name lookup (this version is know
and use it when you compile and link the software on
bastion host, which talks to the machines on the inside.
will then use the values in /etc/hosts to identify the
The disadvantage, of course, is that you need to keep
file on the bastion host up-to-date. In my opinion,
you are better
off converting to DNS internally. This way you only
need to maintain
the data on your internal primary name server. You can,
use the DNS-to-NIS tunnel, but this is a one-way street,
so if you
do use that solution, you will need to maintain both
the name server
and the NIS map.
About the Author
Bjorn Satdeva is the president of /sys/admin, inc.,
firm which specializes in large installation system
Bjorn is also co-founder and former president of Bay-LISA,
a San Francisco
Bay Area user's group for system administrators of large
can be contacted at /sys/admin, inc., 2787 Moorpark
Ave., San Jose,
CA 95128; electronically at email@example.com; or by
at (408) 241-3111.