Thanks to all for the responses. I think that with some diplomacy and
cajoling I can get rid of dial-in lines -- but it'll take a while, and
the outcome is not 100 percent certain. The justification for dial-in
is that users sometimes need to check out their customizations online,
and it's easier for the engineers to setup pcANYWHERE than for them to
wait for us to give the users a temporary RAS account or open a
pcANYWHERE hole in the firewall for them, etc. WTS and Citrix are right
out because of the difficulties of installs. They could have their own
lab for demos instead of using the same computers they develop on, but
this is not realistic given the small size of our company. This is a
problem that requires some thought, but I think there may be a solution.
Dial-out -- that's something I can't figure what to do with. The issue
is our support people. They often need to dial into a customer,
sometimes using RAS. A lot of our customers use private addresses
internally, just like we do. You can imagine what happens when you try
to dial into a network with the same set of IP addresses as you use
internally.
Moreover, their DNS and WINS servers are, of course, different than our
own, and sometimes it can be hard to find out an IP address, sometimes
because we do the dial-ins at night and the customer isn't around to
answer questions (and may have forgotten to provide the IP address of a
critical server).
The other issue with dial-out is DOS and 16-bit applications (yes, we
still have some). These do not necessarily work with virtual modem
ports.
Ideally what I'm looking for is something that can plug into the back of
a computer's COM ports. This would go to a device that would figure out
when a request was being made and patch it through to an available
modem, either for dial-in or dial-out. This device would have to have
some sort of management capability, like being able to turn off access
at certain times, have certain restrictions, and, as someone suggested,
ideally be able to sniff out what's going on. I realize this device
probably doesn't exist, but I wanted to be able to say I tried.
I guess the solution is to try to get rid of dial-in, pool as many
dial-out ports as possible. People who absolutely need analog lines
should be given dial-out only lines (I assume the PBX can do this -- I
haven't tried yet) unless they have a really, really good reason.
As far as general security at our company goes, we have the firewall,
etc., to prevent people from doing bad things to our computers, not
necessarily to keep information from getting out. Business interruption
is the primary worry. This makes security a bit easier to manage.
Thanks!
Jen
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
