Nmap Announce mailing list archives
Re: legality of port-mapping
From: Lamont Granquist <lamontg () raven genome washington edu>
Date: Thu, 4 Mar 1999 10:54:37 -0800
On Wed, 3 Mar 1999, Gregory A. Carter wrote:
On Mon, 1 Mar 1999, Rob Quinn wrote: (re) Ahhh... so where is it that I'm supposed to hang my ``NO TRESPASSING'' sign (re) so that you can see it? (re) (re) I think most of my customers would say the `public' part of the network (re) stops right at the point where they start paying out the cash - the upstream (re) side of their circuit. (re) I'm still looking for the virtual fence-post or front door that I can (re) nail my NO TRESPASSING sign to. On the net these days I would say your no trespassing sign needs to be a closed port. If you don't want users opening up a socket to your system, don't advertise your routes to the net and don't run any services, or filter out users you don't want to be able to connect to it.
Unfortunately, a closed port is not always an option. I admin a small but extremely heterogenous 'cluster' of machines including Linux, IRIX 5.3/6.2/6.4, Digital Unix 3.2/4.0, HP-UX 9.0/11.0, Solaris 2.4/2.5.1 and one SunOS 4.1.4. Since we do software development I have no option other than to run and support these platforms. I'm also in a university environment where the only firewalling I can do is room-by-room and, unfortunately that would require 3-4 firewalls for our 20 machines and that is not going to fly past my boss. Getting the people who run the hubs/routers in the building (campus Computing and Communications dept) to firewall the building isn't an option -- we're having a hard enough time getting them to install switching hubs. I cannot take over the building network (i'd love to) because i'm only one of many groups in the building from entirely different departments and i am not the largest (of course C&C would never agree to this anyway even if we could get some solidarity out of the building system admins). So, firewalling isn't an option. The next option to try is closing ports and implimenting access controls. This is fine for Linux -- it is open source and there exist utilities like ipfwadm to filter packets and in the latest RH5.2 distribution they've linked mountd against libwrap. However, I also have to support Digital Unix for which there is no packet filter that I know of other than a crude one which drops packets by IP source address (and doesn't know anything about TCP so you can't block by IP addr + port). Since this machine also serves the RAID array which is NFS mounted I need to be running services like nfs/2048 and statd and lockd. On Digital Unix these services have no access controls like being linked against libwrap. I have installed a portmapper linked against libwrap, but I don't have the Digital Unix sources to be able to do the same for the other NFS daemons. Then I need to deal with HP-UX and 3 different flavors of IRIX (i think that 6.4 supports an ipfilterd that i'm going to look into, but we still need to support 5.3 and 6.2 for development). There is no place to hang a "NO TRESPASSING" sign. You can't do it. And therefore, the 'trespassing' analogy fails like all of the rest of the analogies that people bring up on this topic. Computers and the "virtual world" of networking is a lot more complicated than physical property. And given the fact that it is impossible to hang a "NO TRESPASSING" sign up, I think that the courts are not going to view this as a sufficient defense. At least I would never bet my freedom on expecting this defense to fly. -- Lamont Granquist lamontg () raven genome washington edu Dept. of Molecular Biotechnology (206)616-5735 fax: (206)685-7344 Box 352145 / University of Washington / Seattle, WA 98195 PGP pubkey: finger lamontg () raven genome washington edu | pgp -fka
Current thread:
- RE: legality of port-mapping Chris St. Clair (Mar 01)
- Re: legality of port-mapping Rob Quinn (Mar 01)
- Re: legality of port-mapping Gregory A. Carter (Mar 03)
- Re: legality of port-mapping Lamont Granquist (Mar 04)
- Re: legality of port-mapping Gregory A. Carter (Mar 03)
- Re: legality of port-mapping Rob Quinn (Mar 01)