On Mon, 10 Jan 2000, Ron DuFresne wrote:
> > At 12:27 28/12/99 +0100, Paul Koch wrote:
> > >He would put me IN FRONT of the firewall so that I have to maintain my own
> > >security on my system.
> >
> > That's a *really* bad idea.
I agree with Ron, it's not necessarily a bad idea, in fact it can be a
darned good one. I nuked the original response in some quick cleaning
this afternoon, so I'll reply in-line...
> > i) Your box is outside of the corporate firewall protection - and traffic
> > to it is not logged at the firewall.
> >
> > This means more chance that your box will get compromised, and less chance
> > of spotting it in the logs if it is.
> >
"Will" is harsh, "may" is better, and it doesn't preclued good host
protection or host intrusion detection (or even a "personal firewall"
on the exposed host). Wost comes to worst, just reload the host from a
read-only Jazz drive every morning. Much better than taking more risk
for the entire internal network *and* tying the firewall interfaces up
passing amazing ammounts of data that streaming video can entail at times.
Streaming media offers the oppertunity for an attacker to pipe the local subnet
in and out without much more than a shrug, since you can't verify the content
of the stream.
> > ii) if your box gets compromised, it's located at the best place to sniff
> > traffic going in/out of the corporate site - script-kiddie tools will
That depends on if it's on the same layer-2 network as the external
firewall interface.
I tend to put my outside lusers on seperate switches off of a different
router interface.
> > vacuum up all sorts of nice stuff like any FTP/telnet passwords going by.
> > (OK sniffing is not so easy if you're using an ethernet switch on the
> > subnet outside the firewall, but even so)
> >
> > It seems to me that this whole issue is driven by a failure to take a
> > sensible 'business issues' approach.
No, it's driven by the fact that some protocols aren't easy to secure,
and someone properly wants to minimize the risk of a new and untrusted
protocol by limiting the exposure to a single machine instead of the
company's mission-critical business servers and networks.
> > If you can document why you need the stuff, then that *ought* to be enough
> > to then trigger a project for your sysop to cost up doing a 'properly
> > secured' real-video set-up. It may turn out that the costs of doing it
> > properly outweigh the business benefits - so it's a project that won't happen.
> >
"Off the internal network" works just fine in cost and doesn't impact
doing it properly. Given that the programs for streaming media are
changing rapily, it's a heck of a lot better than trusting new clients or
waiting for someone to do an evaluation on new client code.
> > That would be the *right* thing to do - whereas trying out 'cheaper
> > options' that have substantial security impact without going though a
> > risks/costs project is *not* the right thing.
> >
How is a single PC a substantial security impact when an entire network
isn't?
> While I understand this opinion, I also think that if the box is properly
> secured, and there can be other boxes infront of this box setup to help
> secure it, then, the risk might well be the same or perhaps even safer
> then passing the traffic through the firewall and onto the internal
> network...
Much safer. Firewalls only protect what they block, everything else is
fair game if you compromise the internal host.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
