>If people are worried about out side people telneting in put up a filter.
>People wonder why I do an allow all at the end of a lot of my filters, well
>telnet to your equipment from outside should be blocked at the network
>border router. You can also put up a filter to allow telnet in for specific
>IPs only. I know all of my work / debug was done from a pool of about 5 IPs
>when I was still at an ISP. That's the way I would do it but it's not the
>way that's best for everyone.
Granted. But you should not only block your border router, but also all
dial-in ports and any internal machine that has foriegn accounts (ie.
shell machines, colocated servers, etc.) It IS doable. But realize that
most sysadmins (not the ones on this list) are asleep at the switch.
Security flaws like this should be in the system design and not rely on
some positive action like manually entering a filter by a competent
sysadmin. Given, that putting in filters is a good work-around for now
and sysadmins should realize what they are doing and logout properly, that
is no excuse for not having the chassis inherently secure out of the box.
And no argument by Lucent that its not a bug, but a "feature" (as MZ put
it done by DESIGN) holds water as far as security is concerned.
-
To unsubscribe, email 'majordomo@livingston.com' with
'unsubscribe portmaster-users' in the body of the message.
Searchable list archive: <URL:http://www.livingston.com/Tech/archive/>