[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Do these solutions post unacceptable security risk?
Any time you allow an outsider full control of one of your internal machines it's a security risk. And the worst part is that you don't really know who is on the other end, whether they're dangerously curious, about to quit their job and feel like leaving a little present behind, or take no measures to protect your logon credentials (to name just a few of the risks). Having said that, sometimes you simply have no choice. What we've done in these situations is to set up access via Terminal Services or Citrix and manually enable the rules at the request of the vendor, and only for the duration that they actually need access to the box. In other words, we try to limit the window of vulnerability to the shortest time span possible. The other thing we do is force the vendor to use two-factor authentication, like SecurID. That way there's a tighter audit trail of who's doing what and less chance the vendor can claim innocence if something does go wrong. The sad part of all this is that no matter how good your security might be, your vendor has just become the weakest link in the chain, if for no other reason than your inability to assess and control their environment. Geoff -----Original Message----- From: Ivan Fox [mailto:[email protected]] Sent: Sunday, January 21, 2001 12:18 PM To: fw-1-mailinglist (e-mail); fw-wiz; Fw1-Wizards (E-mail) Subject: [FW1] Do these solutions post unacceptable security risk? There are a number of unix-based and NT-based application servers on the internal network. They are so special that the vendor needs to access these servers from the Internet to trouble-shoot and support, when needed. The following are proposed "solutions", your comments/suggestions are appreciated. 1) SSH for Unix-based servers 2) VNC for NT-based servers 3) VPN for both Unix and NT servers. In these cases, we need to drill a number of holes on the firewall to allow port 22, 5900 or/and 50 to pass through. We want to "vendor" to be authenticated by Check Point Firewall-1 before allowing them to come in and then access ONLY those servers. The rule would be src dst service action vendor ip encryption-domain-x 50 client-auth consists of ip of unix-nt servers Would such "design" post any security risk to us? Any comments/suggestions are appreciated. Dave ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|