Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Do these solutions post unacceptable security risk?

To: "'Ivan Fox'" <[email protected]>, "fw-1-mailinglist (e-mail)" <[email protected]>
Subject: RE: [FW1] Do these solutions post unacceptable security risk?
From: Geoffrey Moon <[email protected]>
Date: Sun, 21 Jan 2001 19:43:46 -0500
Sender: [email protected]

Any time you allow an outsider full control of one of your internal machines
it's a security risk. And the worst part is that you don't really know who
is on the other end, whether they're dangerously curious, about to quit
their job and feel like leaving a little present behind, or take no measures
to protect your logon credentials (to name just a few of the risks).

Having said that, sometimes you simply have no choice. What we've done in
these situations is to set up access via Terminal Services or Citrix and
manually enable the rules at the request of the vendor, and only for the
duration that they actually need access to the box. In other words, we try
to limit the window of vulnerability to the shortest time span possible. The
other thing we do is force the vendor to use two-factor authentication, like
SecurID. That way there's a tighter audit trail of who's doing what and less
chance the vendor can claim innocence if something does go wrong.

The sad part of all this is that no matter how good your security might be,
your vendor has just become the weakest link in the chain, if for no other
reason than your inability to assess and control their environment.

Geoff

-----Original Message-----
From: Ivan Fox [mailto:[email protected]]
Sent: Sunday, January 21, 2001 12:18 PM
To: fw-1-mailinglist (e-mail); fw-wiz; Fw1-Wizards (E-mail)
Subject: [FW1] Do these solutions post unacceptable security risk?



There are a number of unix-based and NT-based application servers on the
internal network.  They are so special that the vendor needs to access these
servers from the Internet to trouble-shoot and support, when needed.

The following are proposed "solutions", your comments/suggestions are
appreciated.

1) SSH for Unix-based servers

2) VNC for NT-based servers

3) VPN for both Unix and NT servers.

In these cases, we need to drill a number of holes on the firewall to allow
port 22, 5900 or/and 50 to pass through.  We want to "vendor" to be
authenticated by Check Point Firewall-1 before allowing them to come in and
then access ONLY those servers.

The rule would be

src          dst                              service  action
vendor ip    encryption-domain-x              50      client-auth
consists of ip of
            unix-nt servers

Would such "design" post any security risk to us?

Any comments/suggestions are appreciated.

Dave




============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Follow-Ups:
- RE: [FW1] Do these solutions post unacceptable security risk?
  - From: "Matt Rowley" <[email protected]>

Prev by Date: Re: [FW1] Manager GUI Error: "No license for user interface"
Next by Date: [FW1] UDP Broadcast
Previous by thread: RE: [FW1] Do these solutions post unacceptable security risk?
Next by thread: RE: [FW1] Do these solutions post unacceptable security risk?
Index(es):
- Date
- Thread