'RE: Secure Telneting into a internal network'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewalls-gc
Subject:    RE: Secure Telneting into a internal network
From:       Jerry Mendes <mendes () garnet ! berkeley ! edu>
Date:       1997-02-11 2:19:53
[Download RAW message or body]

Let me get my 2 cents into this, too.  Secure Shell (ssh) is really a good
idea in most cases....it's more or less like telnet with encryption.  As you
suggest, however, with a non-standard OS on the internal network, it would
probably be tricky...you'd be doing it on your own with little or no support
except for a mailing list group.

If you want to learn more about ssh, go to the homepage at the Helsinki
Technical University:
        http://www.cs.hut.fi/ssh/
There's an FAQ section, and a majordomo email distribution list.

Since it seems impractical to consider ssh, then look at things you might do
with your firewall.

You don't say what kind it is.  If your major concern is authenticating the
users before they are allowed through the firewall, firewalls can generally
do that....requiring the users to log in.  You can require them to use
hand-held authenticators (SecureID, Crypto Card, etc) that automatically
give them a new, one-time password everytime they connect.   One of the
vendors (someone on the list will surely know who) now has a software
version of the HHA, so that you install a program on the laptop that
replicates the function of the physical HHA, without requiring each user to
carry a physical device.

The best coming technology....all of the crypto vendors are going to have
products like this within the year...is the SmartCard, which will have an
RSA private keys and public keys for all of the servers one needs to connect
with.  I saw some of these at the recent RSA conference in San Francisco.
Here's a short list of vendors I saw with products:

        Chrysalis ITS (Ottawa)                  chrysalis-its.com
        Entegrity Solutions (Sunnyvale)         entegrity.com
        VPNet (San Jose)                        vpnet.com

If you need more than just authentication (ie--you're looking for encryption
of telnet sessions), you can do that too.  You're looking for VPN
technology.  Some firewall vendors have it built it, some sell it as an add-on.

In this case, the users again authenticate themselves, using RSA public key
cryptography.  Once the authentication is done, all transmissions are
encrypted using a secret session key which is generated by the encryption
"server", and sent through the encrypted tunnel (the VPN) to the client
workstation.  Good practice requires that a new session key be generated on
a regular basis, so that someone capturing packets would have an almost
impossible job to break the key, and decode the traffic before the new key
is generated.

Public key cryptography, when used within the U.S. or Canada is very secure
(key lengths range from 128 to 1024 bits).  If your users are in locations
outside North America, and you buy from U.S. vendors, then you probably
realize that you will not be able to purchase technology with key lengths
over 40 bits.

If I've carried on a bit too much, I apologize.  It's the teacher in me.  :-)


At 12:12 PM 1/30/97 -0600, Allen D. Harpham wrote:

>I have gotten a lot of good leads to the solution of this problem.  i
>really appreciate the help on this list.
>
>In talking to the client further, one request has come up that might put a
>monkey wrench into the works.
>
>They use a windows based telnet package that they would like to use to
>access their hosts on the internal network over the internet.
>
>In that case, it appears that ssh wouldn't work.  Should I be looking at
>some kind of tcp wrapper in this case?
>
>
>BTW, the internal hosts are not running unix.  They are running a
>propriatary operation system that supports telnet.  So I assume the best
>thing would be to setup a telnet server behind the firewall and have them
>first telnet into the telnet server and then telnet to the internal host.
>Correct me if I am wrong.

I don't think setting up a "proxy" telnet server is the right solution.
That's pretty much what the firewall is already doing.
___________________________________________________________________________
Jerry Mendes, Principal Consultant          Voice: (415) 381-5500
DataComm Insights                           FAX:   (415) 381-5502
150 Seminary Drive                          Email: mendes@garnet.berkeley.edu
Mill Valley, California  94941

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic