Re: (ASCEND) Feature Requests and Ascend?

To: Marc Slemko <marcs@znep.com>
Subject: Re: (ASCEND) Feature Requests and Ascend?
From: Jason Nealis <nealis@babylon.erols.com>
Date: Wed, 8 Oct 1997 19:27:11 -0400 (EDT)
cc: ascend-users@max.bungi.com
In-Reply-To: <Pine.BSF.3.95.971008143319.1952A-100000@alive.znep.com>
Sender: owner-ascend-users@max.bungi.com



On Wed, 8 Oct 1997, Marc Slemko wrote:

> On Wed, 8 Oct 1997, Tim Basher wrote:
> 
> > > That's one of the reasons I wasn't impressed when Ascend told me
> > > that the quaint idea of having the immediate modem port enabled on an
> > > Internet acessable box was something they had never imagined.
> > 
> > To be honest, I can't imagine it either - this is just a problem waiting
> > to happen.  Why would anyone want a modem port that any person could get
> > to?  Immediate modem is useful in controlled environments, which the
> > Internet definitely *isn't*.  If you want to control the usage then just
> > don't use immediate modem - use the terminal server mode and the "open"
> > command.  This allows you to limit access to the modem to those people
> > who have terminal server access privileges.
> 
> I can already control the access very nicely thanks, with this thing
> called passwords.  I have no trouble with the access controls for
> authorized use.  Please understand the feature I am talking about before
> talking about something that has no relevance to the issue..  Yes,
> unencrypted passwords suck but that is a different matter.  The problem I
> have is that the box has the bug of crashing if someone opens a couple
> (what some would consider a reasonable number; after all, there could be
> that many actual modems in a box for people to connect to) of connections
> to it.
> 
> Packet filtering it at the max isn't a solution, only a workaround, both
> because the MAX tends to start doing odd things at times if you use packet
> filters and because it doesn't solve the problem; just because someone
> with a password from a particular host should be able to use the modem
> doesn't mean that someone without a password from that host should be able
> to crash it.

Let's be honest here, Just how much packet filtering can you do on 
a MAX before you start to tax the I960 and start to affect performance? In
the issue of security and the Max. I'd like to see more traps sent 
for instance:


Trap sent with IP address of user when successfully telnet'd into a MAX.
Trap sent when USER enter a certain profile. (This may be there)
I'd like to see the Max syslog any changes that a user may make
to the configuration, For instance with TACCACS and Cisco you can 
log just about every keystroke that the user makes. 

This can and should be done on the TNT considering it's CLI based, I guess 
I'll hit the ascend feature reqeust page.


Jason Nealis
Director Internet Operations
Network Access
Erols Internet


> 
> Having people telnet in remotely also isn't an answer because of the
> restricted number of telnet connections available to a MAX and the fact
> that modem access should be controlled seperately from access to the rest
> of the box.
> 
> It really isn't that complicated for connections to be refused before the
> box starts tipping over.
> 
> ++ Ascend Users Mailing List ++
> To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
> To get FAQ'd:	<http://www.nealis.net/ascend/faq>
> 

++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd:	<http://www.nealis.net/ascend/faq>

References:

Re: (ASCEND) Feature Requests and Ascend?

From: Marc Slemko <marcs@znep.com>

Prev by Date: Re: (ASCEND) Feature Requests and Ascend?
Next by Date: Re: (ASCEND) Processor to Max4000
Prev by thread: Re: (ASCEND) Feature Requests and Ascend?
Next by thread: Re: (ASCEND) Feature Requests and Ascend?
Index(es):
- Main
- Thread