[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Do these solutions post unacceptable security risk?
Just a thought, but why not drop another network card in the firewall box and had a DMZ prong (possibly an extra one if there's already one). It'd be a dedicated DMZ where your internal users and your vendors can share access to these boxes. Networks cards tend to run a fair sight cheaper than Citrix servers or dedicated pipes to vendors. ;-) --Matt > -----Original Message----- > From: [email protected] > [mailto:[email protected]]On Behalf Of > Geoffrey Moon > Sent: Sunday, January 21, 2001 7:44 PM > To: 'Ivan Fox'; fw-1-mailinglist (e-mail) > Subject: RE: [FW1] Do these solutions post unacceptable security risk? > > > > Any time you allow an outsider full control of one of your > internal machines > it's a security risk. And the worst part is that you don't > really know who > is on the other end, whether they're dangerously curious, about to quit > their job and feel like leaving a little present behind, or > take no measures > to protect your logon credentials (to name just a few of the risks). > > Having said that, sometimes you simply have no choice. What > we've done in > these situations is to set up access via Terminal Services or Citrix and > manually enable the rules at the request of the vendor, and only for the > duration that they actually need access to the box. In other > words, we try > to limit the window of vulnerability to the shortest time span > possible. The > other thing we do is force the vendor to use two-factor > authentication, like > SecurID. That way there's a tighter audit trail of who's doing > what and less > chance the vendor can claim innocence if something does go wrong. > > The sad part of all this is that no matter how good your > security might be, > your vendor has just become the weakest link in the chain, if > for no other > reason than your inability to assess and control their environment. > > Geoff > > -----Original Message----- > From: Ivan Fox [mailto:[email protected]] > Sent: Sunday, January 21, 2001 12:18 PM > To: fw-1-mailinglist (e-mail); fw-wiz; Fw1-Wizards (E-mail) > Subject: [FW1] Do these solutions post unacceptable security risk? > > > > There are a number of unix-based and NT-based application servers on the > internal network. They are so special that the vendor needs to > access these > servers from the Internet to trouble-shoot and support, when needed. > > The following are proposed "solutions", your comments/suggestions are > appreciated. > > 1) SSH for Unix-based servers > > 2) VNC for NT-based servers > > 3) VPN for both Unix and NT servers. > > In these cases, we need to drill a number of holes on the > firewall to allow > port 22, 5900 or/and 50 to pass through. We want to "vendor" to be > authenticated by Check Point Firewall-1 before allowing them to > come in and > then access ONLY those servers. > > The rule would be > > src dst service action > vendor ip encryption-domain-x 50 client-auth > consists of ip of > unix-nt servers > > Would such "design" post any security risk to us? > > Any comments/suggestions are appreciated. > > Dave > > > > > ================================================================ > ============ > ==== > To unsubscribe from this mailing list, please see the > instructions at > http://www.checkpoint.com/services/mailing.html > ================================================================ > ============ > ==== > > > ================================================================ > ================ > To unsubscribe from this mailing list, please see the > instructions at > http://www.checkpoint.com/services/mailing.html > ================================================================ > ================ ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|