[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: SUNY-Albany and AFIT



Hi Jeff, 

Anyone from the second level on this URL:
http://www.unidata.ucar.edu/projects/idd/nexradFeed.html

with you being in Ohio, I would suggest either stokes, profhorn, or
flood..


traceroutes to each will shed some light as to how well you are connected
to these machines..

Yes, I do not forsee any security issues either but David is in the
position of holding propriatary data, so I certainly understand his
concerns. He is providing a valuable service distributing the NLDN feed.


Let me know what you find and who you will be feeding NNEXRAD from so I
can update our records here at the UPC.


Thanks,

-Jeff
____________________________                  _____________________
Jeff Weber                                    address@hidden
Unidata Support                               PH:303-497-8676 
NWS-COMET Case Study Library                  FX:303-497-8690
University Corp for Atmospheric Research      3300 Mitchell Ln
http://www.unidata.ucar.edu/staff/jweber      Boulder,Co 80307-3000
________________________________________      ______________________

On Wed, 6 Mar 2002, Sitler Jeffrey L Civ AFIT/ENP wrote:

> Jeff,
> Who can we get NNEXRAD from? I will place the request.
> I understand David's concern, but I will bet we are much
> more secure than almost any .edu site out there.
> We also don't do any operational weather, it is used 
> strictly for research and synoptic lab. While we are on
> a military base, and we are the Air Force Institute of Technology
> we have all the same credentials as every other .edu site out there
> except the cirriculum is tailored to meet the Air Forces needs as 
> far as research goes.  Which in David's case, we just had 3 students
> each do a different thesis on lightning for Cape Canaveral.
> Have a good day.
> Jeff
> 
> 
> -----Original Message-----
> From: Jeff Weber [mailto:address@hidden
> Sent: Tuesday, March 05, 2002 3:12 PM
> To: Sitler Jeffrey L Civ AFIT/ENP
> Cc: 'Anne Wilson'; David Knight; address@hidden;
> address@hidden
> Subject: RE: SUNY-Albany and AFIT
> 
> 
> Hi Jeff, 
> 
> I understand your security issues.
> 
> However, if you want NNEXRAD data, you will need to allow another IP for
> that feed source. Redwood only carries a brief subset of NNEXRAD..only one
> site. So if you desire NNEXRAD we need to evaluate that issue. Also,
> regarding the NLDN data, we need to be certain David feels comfortable
> feeding an IP, and then you would need to allow the IP for striker as
> well, so now we are up to 3 IP (holes) in your firewall not to mention
> allowing at least imogene from unidata access to your machine...
> 
> 
> Keep us posted we will do all we can from here,
> 
> -Jeff
> ____________________________                  _____________________
> Jeff Weber                                    address@hidden
> Unidata Support                               PH:303-497-8676 
> NWS-COMET Case Study Library                  FX:303-497-8690
> University Corp for Atmospheric Research      3300 Mitchell Ln
> http://www.unidata.ucar.edu/staff/jweber      Boulder,Co 80307-3000
> ________________________________________      ______________________
> 
> On Tue, 5 Mar 2002, Sitler Jeffrey L Civ AFIT/ENP wrote:
> 
> > Hello all,
> > Just to keep you updated on where we stand. I have found out that as far
> as
> > incoming data.
> > Our SC people want to know the specific IP address and the port, and who
> > they are.
> > They allow by IP only outside of "fujita", basically once our request
> leaves
> > fujita for Albany, it will only allow back in from the IP of redwood, but
> > not the name redwood. 
> > I think they forget we are an .edu site inside of a .mil site, so you can
> > see our
> > firewall nightmare. Anything we open up has to clear the military side of
> > things, then the education side of things
> > before we can even get the clearance. I am sure you can imagine the
> > paperwork and the explanations I had to go
> > through to get the data coming in from Unidata, then I was told, "OK, this
> > is the only site you want, correct?".
> > They don't even like that I have a failover site, they want one site and
> one
> > site only.
> > I really appreciate all the help I am getting from outside the base
> believe
> > me, as well as the understanding.
> > I hope I am explaining all this so you understand, please remember I am a
> > weather person in a computer position, with a whole 1 year of UNIX now
> under
> > my belt.
> > Thanks
> > Jeff
> > 
> > 
> > 
> > -----Original Message-----
> > From: Anne Wilson [mailto:address@hidden
> > Sent: Tuesday, March 05, 2002 1:27 PM
> > To: David Knight
> > Cc: address@hidden; address@hidden;
> > address@hidden; address@hidden
> > Subject: Re: SUNY-Albany and AFIT
> > 
> > 
> > David Knight wrote:
> > > 
> > > Hi Anne,
> > > 
> > >     Jeff Sitler at afit tells me the machine is/will
> > > be known as fujita.afit.edu (not that it really matters
> > > since the name seems to be irelavant...).
> > > We have an allow for both the machine name and the IP
> > > number. It appears that when they they connect the request
> > > comes from the ip#
> > > 
> > > Mar 04 19:30:34 redwood rpc.ldmd[6793]: gethostbyaddr: failed for
> > > 129.92.9.62
> > > Mar 04 19:30:34 redwood 129.92.9.62[6827]: Connection from 129.92.9.62
> > > Mar 04 19:30:34 redwood 129.92.9.62(feed)[6827]: Starting Up:
> > > 20020304190240.510
> > >  TS_ENDT {{NNEXRAD|UNIDATA,  ".*"}}
> > > Mar 04 19:30:34 redwood 129.92.9.62(feed)[6827]: topo:  129.92.9.62
> > > NNEXRAD|UNIDATA
> > > 
> > > Even though the gethostbyaddr fails we apparently accept their
> > > connection (I'm not sure if this is because we have an explicit
> > > allow for the IP address, or if it is a change we made to our ldm
> > > configuration some time ago that I simply forget right now).
> > > There is no entry for fujita in /etc/hosts or our NIS+ tables.
> > > I really don't like feeding an IP number - it doesn't bother
> > > me with the NOAAPORT feed, but, given the restrictions we face
> > > with the NLDN feed I'd really much rather be able to document
> > > we are feeding an .edu site.
> > > 
> > > Hope this helps...
> > > David
> > > 
> > > p.s. I understand that afit has security concerns, but, they are
> > > not alone in this regard. In fact I am becoming less and less
> > > comfortable feeding an essentially anonymous host at what appears
> > > to be a military site. For example, what if despite our best
> > > efforts either redwood or striker get hacked, and the hacker
> > > uses these machines to send nasty stuff over the IDD to
> > > the afit site - should we even be taking that risk, or, be
> > > exposing ourselves to that responsibility? Also IP numbers
> > > can be easily spoofed, and a military machine might be a likely
> > > target for this. If I had any hair left I'd probably have to
> > > say I must be having a "bad hair day" ;-)
> > > 
> > 
> > Hi David,
> > 
> > Thanks for the information.  You raise very good points regarding both
> > proprietary feeds and security.  I will raise these issues here for
> > discussion, this time in the context of .mil sites.  (LDM security is a
> > perennial topic.)  Although, Jeff Stitler assures us that fujita is a
> > .edu site.  This morning I was able to confirm that on the AFIT network
> > fujita is known as fujita.afit.edu.
> > 
> > Regarding the hacking potential, one significant safeguard is that the
> > LDM uses its own protocol.  Thus, there are only a few messages to which
> > the ldm will respond (HEREIS, COMINGSOON, BLKDATA, etc.), and it will
> > respond in well understood, predictable ways.  It would be very hard to
> > write some nefarious executable, wrap it properly, send it properly, and
> > get the remote ldm to do something beyond just stuffing it in the queue.
> > 
> > And, due to your message I learned something about the LDM this
> > morning.  When the IP addresses is used in ldmd.conf, the server will
> > try only once to do a reverse lookup.  And, that lookup doesn't need to
> > succeed, just as we saw in your logs above.
> > 
> > This means that some machine could spoof being AFIT by providing that IP
> > address to you and get you to feed them data.  This could be an issue
> > for your proprietary data.  I can understand your wanting to verify that
> > you're feeding a .edu.  With AFIT's restrictions that currently can't be
> > done.  We'll have to leave it to you to decide whether or not to feed
> > such sites.  
> > 
> > Regarding security on AFIT's side, AFIT is using names in their
> > ldmd.conf file instead of IP addresses, which forces the forward and
> > reverse lookup requirement.  So, it would be harder for some machine to
> > spoof being redwood.atmos.albany.edu.
> > 
> > I don't mean to dismiss your concerns, only to allay them.  We must
> > always be thinking about security.  
> > 
> > Anne
> > ***************************************************
> > Anne Wilson                 UCAR Unidata Program            
> > address@hidden                     P.O. Box 3000
> >                                       Boulder, CO  80307
> > ----------------------------------------------------
> > Unidata WWW server       http://www.unidata.ucar.edu/
> > ****************************************************
> > 
> 


NOTE: All email exchanges with Unidata User Support are recorded in the Unidata inquiry tracking system and then made publicly available through the web. If you do not want to have your interactions made available in this way, you must let us know in each email you send to us.