>> > >He would put me IN FRONT of the firewall so that I have to maintain
my own
>> > >security on my system.
>> >
>> > That's a *really* bad idea.
>
>I agree with Ron, it's not necessarily a bad idea,...
<snip>
>> > This means more chance that your box will get compromised, and less
chance
>> > of spotting it in the logs if it is.
>> >
>
>"Will" is harsh, "may" is better, and it doesn't preclued good host
>protection or host intrusion detection (or even a "personal firewall"
>on the exposed host). Wost comes to worst, just reload the host from a
>read-only Jazz drive every morning.
This can all be done, and any *single* box can in theory be made extremely
security (especially if as Ron suggested more boxes are added to protect it).
The questions then are:
i) shouldn't the whole security perimeter be handled by the system admin,
and designed as an integrated whole (one set of log formats etc) - not two
serial systems under different owners, different logs - dependent upon
*both* owners to do a great job on an *ongoing* basis
ii) the costs of protection systems for the box on the outside *still*
requires someone to pay - back to getting the project under a business
footing, justify the engineering works and do it right.
I'd agree that a box on the outside could in principal be secured, and even
help to partition traffic from the main firewall.
But in practise, the reason it was proposed in this thread was *not* to
develop the best integrated defence, with the best ingoing chance of
staying secure.
It was to short ciruit the normal security channels, and to avoid sensible
planning processes which would realise that there *are* costs in any case
involved in the quick + dirty solution.
Deri
NTA Monitor
www.nta-monitor.com
(apologies for being slow to reply in this thread...
Much better than taking more risk
>for the entire internal network *and* tying the firewall interfaces up
>passing amazing ammounts of data that streaming video can entail at times.
>
>Streaming media offers the oppertunity for an attacker to pipe the local
subnet
>in and out without much more than a shrug, since you can't verify the
content
>of the stream.
>
>> > ii) if your box gets compromised, it's located at the best place to sniff
>> > traffic going in/out of the corporate site - script-kiddie tools will
>
>That depends on if it's on the same layer-2 network as the external
>firewall interface.
>
>I tend to put my outside lusers on seperate switches off of a different
>router interface.
>
>> > vacuum up all sorts of nice stuff like any FTP/telnet passwords going by.
>> > (OK sniffing is not so easy if you're using an ethernet switch on the
>> > subnet outside the firewall, but even so)
>> >
>> > It seems to me that this whole issue is driven by a failure to take a
>> > sensible 'business issues' approach.
>
>No, it's driven by the fact that some protocols aren't easy to secure,
>and someone properly wants to minimize the risk of a new and untrusted
>protocol by limiting the exposure to a single machine instead of the
>company's mission-critical business servers and networks.
>
>> > If you can document why you need the stuff, then that *ought* to be
enough
>> > to then trigger a project for your sysop to cost up doing a 'properly
>> > secured' real-video set-up. It may turn out that the costs of doing it
>> > properly outweigh the business benefits - so it's a project that won't
happen.
>> >
>
>"Off the internal network" works just fine in cost and doesn't impact
>doing it properly. Given that the programs for streaming media are
>changing rapily, it's a heck of a lot better than trusting new clients or
>waiting for someone to do an evaluation on new client code.
>
>> > That would be the *right* thing to do - whereas trying out 'cheaper
>> > options' that have substantial security impact without going though a
>> > risks/costs project is *not* the right thing.
>> >
>
>How is a single PC a substantial security impact when an entire network
>isn't?
>
>> While I understand this opinion, I also think that if the box is properly
>> secured, and there can be other boxes infront of this box setup to help
>> secure it, then, the risk might well be the same or perhaps even safer
>> then passing the traffic through the firewall and onto the internal
>> network...
>
>Much safer. Firewalls only protect what they block, everything else is
>fair game if you compromise the internal host.
>
>Paul
>-----------------------------------------------------------------------------
>Paul D. Robertson "My statements in this message are personal opinions
>[EMAIL PROTECTED] which may have no basis whatsoever in fact."
> PSB#9280
>
>
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
