[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: SUNY-Albany and AFIT

Hello all,

Just to keep you updated on where we stand. I have found out that as
far as incoming data.  Our SC people want to know the specific IP
address and the port, and who they are.  They allow by IP only outside
of "fujita", basically once our request leaves fujita for Albany, it
will only allow back in from the IP of redwood, but not the name
redwood.  I think they forget we are an .edu site inside of a .mil
site, so you can see our firewall nightmare. Anything we open up has to
clear the military side of things, then the education side of things
before we can even get the clearance. I am sure you can imagine the
paperwork and the explanations I had to go through to get the data
coming in from Unidata, then I was told, "OK, this is the only site you
want, correct?".

They don't even like that I have a failover site, they want one site
and one site only.

I really appreciate all the help I am getting from outside the base
believe me, as well as the understanding.  I hope I am explaining all
this so you understand, please remember I am a weather person in a
computer position, with a whole 1 year of UNIX now under my belt.


-----Original Message-----
From: Anne Wilson [mailto:address@hidden
Sent: Tuesday, March 05, 2002 1:27 PM
To: David Knight
Cc: address@hidden; address@hidden;
address@hidden; address@hidden
Subject: Re: SUNY-Albany and AFIT

David Knight wrote:
> Hi Anne,
>     Jeff Sitler at afit tells me the machine is/will
> be known as fujita.afit.edu (not that it really matters
> since the name seems to be irelavant...).
> We have an allow for both the machine name and the IP
> number. It appears that when they they connect the request
> comes from the ip#
> Mar 04 19:30:34 redwood rpc.ldmd[6793]: gethostbyaddr: failed for
> Mar 04 19:30:34 redwood[6827]: Connection from
> Mar 04 19:30:34 redwood[6827]: Starting Up:
> 20020304190240.510
> Mar 04 19:30:34 redwood[6827]: topo:
> Even though the gethostbyaddr fails we apparently accept their
> connection (I'm not sure if this is because we have an explicit
> allow for the IP address, or if it is a change we made to our ldm
> configuration some time ago that I simply forget right now).
> There is no entry for fujita in /etc/hosts or our NIS+ tables.
> I really don't like feeding an IP number - it doesn't bother
> me with the NOAAPORT feed, but, given the restrictions we face
> with the NLDN feed I'd really much rather be able to document
> we are feeding an .edu site.
> Hope this helps...
> David
> p.s. I understand that afit has security concerns, but, they are
> not alone in this regard. In fact I am becoming less and less
> comfortable feeding an essentially anonymous host at what appears
> to be a military site. For example, what if despite our best
> efforts either redwood or striker get hacked, and the hacker
> uses these machines to send nasty stuff over the IDD to
> the afit site - should we even be taking that risk, or, be
> exposing ourselves to that responsibility? Also IP numbers
> can be easily spoofed, and a military machine might be a likely
> target for this. If I had any hair left I'd probably have to
> say I must be having a "bad hair day" ;-)

Hi David,

Thanks for the information.  You raise very good points regarding both
proprietary feeds and security.  I will raise these issues here for
discussion, this time in the context of .mil sites.  (LDM security is a
perennial topic.)  Although, Jeff Stitler assures us that fujita is a
.edu site.  This morning I was able to confirm that on the AFIT network
fujita is known as fujita.afit.edu.

Regarding the hacking potential, one significant safeguard is that the
LDM uses its own protocol.  Thus, there are only a few messages to which
the ldm will respond (HEREIS, COMINGSOON, BLKDATA, etc.), and it will
respond in well understood, predictable ways.  It would be very hard to
write some nefarious executable, wrap it properly, send it properly, and
get the remote ldm to do something beyond just stuffing it in the queue.

And, due to your message I learned something about the LDM this
morning.  When the IP addresses is used in ldmd.conf, the server will
try only once to do a reverse lookup.  And, that lookup doesn't need to
succeed, just as we saw in your logs above.

This means that some machine could spoof being AFIT by providing that IP
address to you and get you to feed them data.  This could be an issue
for your proprietary data.  I can understand your wanting to verify that
you're feeding a .edu.  With AFIT's restrictions that currently can't be
done.  We'll have to leave it to you to decide whether or not to feed
such sites.  

Regarding security on AFIT's side, AFIT is using names in their
ldmd.conf file instead of IP addresses, which forces the forward and
reverse lookup requirement.  So, it would be harder for some machine to
spoof being redwood.atmos.albany.edu.

I don't mean to dismiss your concerns, only to allay them.  We must
always be thinking about security.  

Anne Wilson                     UCAR Unidata Program            
address@hidden                 P.O. Box 3000
                                  Boulder, CO  80307
Unidata WWW server       http://www.unidata.ucar.edu/

>From address@hidden Tue Mar  5 13:48:15 2002
Received: from atmos.albany.edu (redwood.atmos.albany.edu [])
        by unidata.ucar.edu (UCAR/Unidata) with ESMTP id g25KmEK07447;
        Tue, 5 Mar 2002 13:48:14 -0700 (MST)
Organization: UCAR/Unidata
Keywords: 200203052048.g25KmEK07447
Received: from oak.atmos.albany.edu (oak [])
        by atmos.albany.edu (8.8.8+Sun/8.8.8) with ESMTP id UAA11164;
        Tue, 5 Mar 2002 20:48:11 GMT
Received: (from address@hidden)
        by oak.atmos.albany.edu (8.10.2+Sun/8.10.2) id g25Km9n03109;
        Tue, 5 Mar 2002 20:48:09 GMT
From: David Knight <address@hidden>
Message-Id: <address@hidden>
Subject: Re: SUNY-Albany and AFIT
In-Reply-To: <address@hidden> from Jeff Weber at "Mar 5, 2 01:12:00 pm"
To: address@hidden (Jeff Weber)
Date: Tue, 5 Mar 2002 20:48:09 +0000 (GMT)
Cc: address@hidden, address@hidden, address@hidden,
   address@hidden, address@hidden
X-Mailer: ELM [version 2.4ME+ PL39 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Hi all,
     We are willing to continue to feed fujita.afit.edu
NOAAPORT and NLDN by name and IP number from redwood and striker.
We take no responsibility for what, if anything, might happen
to their machines because of this arrangement. We also reserve
the right to discontinue this at any time for any reason.
The data we feed is to be used only for research and educational
purposes and should not be relied upon for *any* operational

NOTE: All email exchanges with Unidata User Support are recorded in the Unidata inquiry tracking system and then made publicly available through the web. If you do not want to have your interactions made available in this way, you must let us know in each email you send to us.