[LDM #ZYU-864541]: Inside firewall to outside LDM initiation

Brice,

> Thanks for the reply.  While I completely agree with you on the security of 
> the LDM system, the Air Force Information Assurance folks have a habit of not 
> taking history into account, only 'rules'.  We will see.

Are connections to port 80 (the web server) allowed? If so, then that's a 
*much* greater risk than a connection to an LDM server's port 388.

As a part of a parallel effort that is going on here we are working on an 
SSH-tunnel based authentication scheme that we are going to be tasked to apply 
to 'external' LDM clients/servers.  You may remember some traffic on that from 
a few months ago.  If the inbound nature of LDM 'bothers' them, maybe that will 
add enough security that they will not fight too much over it.

Encrypting the traffic on an LDM connection is beyond the scope of the LDM 
system.

The reason I believe an LDM server can't become an attack vector is because the 
LDM protocol doesn't support acting on arbitrary requests (the protocol is 
tightly prescribed) and because the LDM server forks a child process to handle 
each incoming request, crashing that process won't accomplish anything.

> Thanks again for the information and I will keep ya'll up to date on how all 
> this plays out.

Appreciate it.

> Brice
> 
> Brice Biggerstaff
> JSC Weather Descision Support System
> MIDDS Software Support
> 281-853-3011 (w)
> 713-764-2601 (p)
> address@hidden  (alpha pager for text and email)
> 
> Res Confacti Erimus
> “We Get Things Done!”

Regards,
Steve Emmerson

Ticket Details
===================
Ticket ID: ZYU-864541
Department: Support LDM
Priority: Normal
Status: Closed