** Information type changed from Private Security to Public

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to tcp-wrappers in Ubuntu.
https://bugs.launchpad.net/bugs/1839598

Title:
  tcp_wrappers does not whitelisting of domains, vs IPs

Status in tcp-wrappers package in Ubuntu:
  New

Bug description:
  TCP Wrappers (also known as tcp_wrappers) is a host-based networking ACL 
system, used to filter network access to Internet Protocol servers. It allows 
host or subnetwork IP addresses, names and/or ident query replies, to be used 
as tokens on which to filter for access control purposes. The original code was 
written by Wietse Venema in 1990 He maintained it until 1995, and on June 1, 
2001, released it under its own BSD-style license. The tarball includes a 
library named Libwrap that implements the actual functionality. I had an email 
conversation with him that lead to nowhere. He does not agree with my request 
for a redesign.
  Very concisely, there is no way as of now to whitelist a domain, vs an IP 
address. You need to know the IP address to which the domain resolves to 
beforehand, which makes domain updates impossible to process. This causes 
tremendous operational problems when the person you need to give access to has 
an IP address that changes often. 
  But I need to digress. Every foreign worker is a potential hacker, for there 
is no way to perform a security check on her/him. Many companies use them 
nevertheless because of the low cost. I know a company that hires North Korean 
engineers working out of mainland China. They log in for legitimate purposes to 
American corporate servers. They actually live in North Korea and are forced to 
back home every 3 weeks. They only have access to dynamic IP addresses, where a 
PTR record does not exist, thus, no reverse-hostname is possible. As a fact: no 
dynamic IP address has a corresponding PTR record.
  The question is how to whitelist a remote worker’s IP automatically. This 
issue cannot be easily solved since commercial VPNs do not guarantee that the 
same IP will be offered on the next connection. Many small companies that hire 
foreign workers end up creating fence servers, but that is exponentially more 
insecure since now you have a potential hacker sitting comfortably inside your 
firewall, behind your line of defense. Your network may have access to other 
companies networks, all the way up to a power station or a government facility, 
maybe a nuclear facility. A very somber scenario.
  Since Libwrap is the ultimate defense to keep hackers from controlling your 
servers, it should ONLY verify if an incoming connection resolves to a domain 
listed in /etc/hosts.allow. It does not. Prior, it performs a hostname check 
that invariably fails unless the pair IP address/ domain exists in /etc/hosts, 
but of course that information changes sometimes hourly. As a result of this 
problem, you cannot use it as a gatekeeper for remote access from dynamic IP 
addresses, increasing your level of insecurity.
  As I said, I explained all these ideas to the author, Wietse, without 
success. He insisted that using a public key was how you protect servers. I 
disagree. Without Libwrap, which means IP whitelisting, a simple public key 
mechanism is suicidal. It is very easy to see why. In a first step, a hacker 
steals the pair public-private key from a box which has legitimate access to 
your network. Then he uses the pair in another box located in his country, from 
which he will access your network as if he were the legitimate client or 
worker. It happened to me already. Libwrap applied to a domain plus public key 
will perform infinitely better than a public key alone. In fact, public key 
alone should not be used at all. This is obvious since by using it, you are 
delegating your security to the box you are allowing to connect, so your entire 
network is now as secure as your client or worker’s home network, which you 
don’t control. You just opened the doors of your company wide-open.
  What I suggest is to modify Libwrap so a domain listed in /etc/hosts.allow 
would work for real, just performing a simple DNS lookup to will match the IP 
address to the domain. Right now, this is impossible.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tcp-wrappers/+bug/1839598/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to