On Tue, Jan 31, 2006 at 08:44:44AM +0000, John Hodrien wrote:
> On Mon, 30 Jan 2006, Frank Sweetser wrote:
> I'd look at this as yet another symptom of a network nazi. If it's stopping
> you doing something useful, they're the ones that need to get a grip. If AG
> used 1 port rather than 5000, would it actually be more secure?
As an employed network nazi myself, I think I can answer that =)
No - but you're asking the wrong question alltogether.
As a network nazi myself, the question I have to ask myself when deciding
whether to allow a particular type of activity through is, "What will this do
to the integrity and security of the *entire network*?"
The bigger the change (IOW, the more ports that have to be opened up), the
greater the potential impact. Even if the ports are only opened up to an AG
system, it still increases the exposure of that system, which if compromised,
would allow an attacker to bypass the external firewall and attack other hosts
directly.
Just remember that when you're asking for changes to make your access grid node
work, the firewall admins have to also figure out if they're following the
policies that get handed to them, and how it's going to effect every other
machine on the network, not just yours. If you can go to them and explain
about the application you're trying to use, what network resources need to be
opened up, and *why* it's important enough to take time away from managing the
steady flood of attackers, viruses and trojans, and monitoring critical stuff
that handles things like payroll, as opposed to "Hey! You! Open these ports
for me 'cause I said so!", you'll have much better results.
--
Frank Sweetser fs at wpi.edu | For every problem, there is a solution that
WPI Network Engineer | is simple, elegant, and wrong. - HL Mencken
GPG fingerprint = 6174 1257 129E 0D21 D8D4 E8A3 8E39 29E3 E2E8 8CEC
