Re: Restricting Access to TCP/IP and DECnet

From: Jim Duff <spam.this@xxxxxxxxx>
Date: Thu, 31 Jan 2008 07:02:29 +1100

Bob Gezelter wrote:

On Jan 30, 7:41 am, Jim Duff <spam.t...@xxxxxxxxx> wrote:
Bob Gezelter wrote:
On Jan 29, 6:58 pm, "Robert Jarratt" <nos...@xxxxxxx> wrote:
Is it possible to restrict access to TCP/IP (5.1) and DECnet (IV) on a
per-user basis? In other words I would like someone to be able to access my
machine, but not to go from that machine to anywhere else on the network.
Thanks
Rob

Rob,
WADU, I will have to disagree with Jim Duff. Restricting access to
particular images is a good idea, but since these are essentially non-
privileged images, a (somewhat) inventive user can circumvent the
security by finding and using copies of the images or equivalent from
his own directory.
[snip]

How is the user going to get a copy of the executable if it is marked
ACCESS=NONE?

Jim
--www.eight-cubed.com

Jim,

The comments that have been posted in the interim have mentioned
several various approaches that concern me.

Preventing access to executables has its utility, but it presumes that
the users being secured against have no capability of getting
executables on their own power.

From an auditing perspective, it is a far surer thing to prohibit
access to the device that serves as a mandatory gateway to the TCP/IP
stack (or to remove NETMBX, after verification that it is indeed
needed for ALL network accesses), than to say "Well, I have blocked
access to known network utilities". Blocking access to utilities is
akin to applications level controls, they have some utility, but they
are not airtight in the face of user belligerence, which is what
security measures are intended to prevent.

[snip]

OK, I'm paranoid. But am I paranoid *enough*?

;-)

--
www.eight-cubed.com
.

References:
- Restricting Access to TCP/IP and DECnet
  - From: Robert Jarratt
- Re: Restricting Access to TCP/IP and DECnet
  - From: Bob Gezelter
- Re: Restricting Access to TCP/IP and DECnet
  - From: Jim Duff
- Re: Restricting Access to TCP/IP and DECnet
  - From: Bob Gezelter

Prev by Date: Re: VT100 standards and EDT
Next by Date: Re: VT100 standards and EDT
Previous by thread: Re: Restricting Access to TCP/IP and DECnet
Next by thread: Re: Restricting Access to TCP/IP and DECnet
Index(es):
- Date
- Thread

Relevant Pages

Re: Restricting Access to TCP/IP and DECnet
... but not to go from that machine to anywhere else on the network. ... particular images is a good idea, but since these are essentially non- ... executables on their own power. ... security measures are intended to prevent. ...
(comp.os.vms)
visible cosmic network of deep sky filaments ("Murray mesh") as redshifted hard gamma radi
... visible cosmic network of deep sky filaments as redshifted ... discernable with patient scrutiny of almost all deep sky images at visible ... Click on the thumbnail photos to get the photos, ... fundamental strings could have been produced in the early ...
(sci.astro.amateur)
visible cosmic network of deep sky filaments ("Murray mesh") as redshifted hard gamma radi
... visible cosmic network of deep sky filaments as redshifted ... discernable with patient scrutiny of almost all deep sky images at visible ... Click on the thumbnail photos to get the photos, ... fundamental strings could have been produced in the early ...
(sci.physics)
visible cosmic network of deep sky filaments ("Murray mesh") as redshifted hard gamma radi
... visible cosmic network of deep sky filaments as redshifted ... discernable with patient scrutiny of almost all deep sky images at visible ... Click on the thumbnail photos to get the photos, ... fundamental strings could have been produced in the early ...
(sci.astro)
Re: 80072AFC
... I set this one up the same way as all of my other images, ... Any errors in the C:\MININT logs? ... the IP of the server and map a network drive, so I know that the network ... Otherwise enable the option "Allow installation of Operating System ...
(microsoft.public.sms.tools)