Re: legality of port-mapping

[Lamont Granquist <lamontg () raven genome washington edu>]

On Wed, 3 Mar 1999, Gregory A. Carter wrote:
> On Mon, 1 Mar 1999, Rob Quinn wrote:
>
> (re)   Ahhh... so where is it that I'm supposed to hang my ``NO TRESPASSING'' sign
> (re)  so that you can see it?
> (re)  
> (re)   I think most of my customers would say the `public' part of the network
> (re)  stops right at the point where they start paying out the cash - the upstream
> (re)  side of their circuit.
> (re)   I'm still looking for the virtual fence-post or front door that I can
> (re)  nail my NO TRESPASSING sign to.
>
> On the net these days I would say your no trespassing sign needs to be a
> closed port.  If you don't want users opening up a socket to your system,
> don't advertise your routes to the net and don't run any services, or
> filter out users you don't want to be able to connect to it.

Unfortunately, a closed port is not always an option.  I admin a small but
extremely heterogenous 'cluster' of machines including Linux, IRIX
5.3/6.2/6.4, Digital Unix 3.2/4.0, HP-UX 9.0/11.0, Solaris 2.4/2.5.1 and
one SunOS 4.1.4.  Since we do software development I have no option other
than to run and support these platforms.  I'm also in a university
environment where the only firewalling I can do is room-by-room and,
unfortunately that would require 3-4 firewalls for our 20 machines and
that is not going to fly past my boss.  Getting the people who run the
hubs/routers in the building (campus Computing and Communications dept) to
firewall the building isn't an option -- we're having a hard enough time
getting them to install switching hubs.  I cannot take over the building
network (i'd love to) because i'm only one of many groups in the building
from entirely different departments and i am not the largest (of course
C&C would never agree to this anyway even if we could get some solidarity
out of the building system admins). 

So, firewalling isn't an option.  The next option to try is closing ports
and implimenting access controls.  This is fine for Linux -- it is open
source and there exist utilities like ipfwadm to filter packets and in the
latest RH5.2 distribution they've linked mountd against libwrap.  
However, I also have to support Digital Unix for which there is no packet
filter that I know of other than a crude one which drops packets by IP
source address (and doesn't know anything about TCP so you can't block by
IP addr + port).  Since this machine also serves the RAID array which is
NFS mounted I need to be running services like nfs/2048 and statd and
lockd. On Digital Unix these services have no access controls like being
linked against libwrap.  I have installed a portmapper linked against
libwrap, but I don't have the Digital Unix sources to be able to do the
same for the other NFS daemons.  Then I need to deal with HP-UX and 3
different flavors of IRIX (i think that 6.4 supports an ipfilterd that i'm
going to look into, but we still need to support 5.3 and 6.2 for
development).

There is no place to hang a "NO TRESPASSING" sign.  You can't do it.  And
therefore, the 'trespassing' analogy fails like all of the rest of the
analogies that people bring up on this topic.  Computers and the "virtual
world" of networking is a lot more complicated than physical property.

And given the fact that it is impossible to hang a "NO TRESPASSING" sign
up, I think that the courts are not going to view this as a sufficient
defense.  At least I would never bet my freedom on expecting this defense
to fly.

-- 
Lamont Granquist                       lamontg () raven genome washington edu
Dept. of Molecular Biotechnology       (206)616-5735  fax: (206)685-7344
Box 352145 / University of Washington / Seattle, WA 98195
PGP pubkey: finger lamontg () raven genome washington edu | pgp -fka