[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Reasons against opening I-net access..
Let me add another perspective to this. I am in the situation you are comtemplating, all my users have unrestricted access to the Internet thru the firewall. I have spent the last 6 or 8 months trying to get my hands on what they need to have open in order to do their jobs and what is just fluff. It is, at the very least, a daunting task. I have a relatively small organization (about 250 people) and getting the time to sift thru all their traffic (about 100,000 log entries a day) is tough and I have the added luxury of having all my logs in an Oracle database which provides me with a large amount of analysis capabilities. Asking my users to identify what they need is a no-go since all they know is that they click on an icon or a link and it works. They don't even know when they are switching from http to ftp to telnet to smtp. The point here is that you already have it tied down, if you open it up, you will probably never get it back under control. What I would suggest, is to open it up for select users. Make the users justify to management (not to you) why they need this and what it is for. That will quickly out the game downloaders from the real workers. Jim Edwards Systems Manager Texas Secretary of State -----Original Message----- From: Jason Witty [mailto:[email protected]] Sent: Thursday, September 07, 2000 7:16 PM To: Joe Delsol; FW-1 List (E-mail) Subject: Re: [FW1] Reasons against opening I-net access.. Joe, I could ramble on about the dangers of this for hours, but here's a few of the heavy hitting reasons not to do so: 1) The misuse possibilities are endless - internal users could bridge your network by using outbound VPN connections (PPTP, GRE tunnels, SOCKS, for example), things like Napster, Quake, AOL, AOL Instant Messager, IRC, Pointcast, and a host of other non-business related utilities would all work. This could massively degrade your bandwidth utilization, not to mention promote loss of productivity costs. 2) Nothing would prevent users from using non-encrypted protocols to send your confidential information over the Internet - telnet (including tn5250, tn3270), FTP, SMTP, etc. 3) If you don't have spoof protection installed perfectly, an attacker can easily craft packets such that state table connections get made that look like they came from the inside network. Then, the attacker can exploit things like the recently discovered FTP-PORT, FTP-PASV, Simplex TCP Connections, and RSH stderr handling exploits to ride the open channel back into your network (see http://www.dataprotect.com/bh2000/blackhat-fw1.txt for more info on this.) 4) Nothing would prevent the next trojan horse or even internet worm from propagating out of your network. How would management feel if the next worm virus simply posted all your IP, username, password, and *.doc files to a public IRC chat room? 5) Same thing in #4 applies to hostile JAVA and ActiveX code. Heard of BrownOrifice? See http://securityportal.com/list-archive/bugtraq/2000/Aug/0146.html , entitled "Brown Orifice Can Break Firewalls!" 6) Stepping down from the soapbox, there's a lot of other reasons not to do that. Doing so is just asking for trouble. Hope this helps (my appologies for the rant)! Jason At 04:17 PM 9/7/00 -0700, Joe Delsol wrote: > > What are the reasons against opening all port access to the internet from >my internal users? Srv > Any Any ideas? Thanks! Joe ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|