I have pondered this quandry for some time, and I offer the following
conclusion:
A network re-design is coming your way.
Ultimately, while there are two separate business unit's, the moment you put
their NT4 hack-bucket on your network, you are really creating one
homogenous logical-network. In other words, there's no more "LAN-A / LAN-B"
thinking: it's ALL LAN-A now.
Before anything is done, the various parties involved in supporting (and who
hold the ultimate responsibility for the security of the company's data)
must come together and find a way to implement a new network design that
accomplishes Group B's critical business needs AND provides reasonable
security of the company's data.
YOUR goal is to create a network infrastructure that provides both groups
access to the tools (applications) and information (data) that make the
company productive.
So, get a T-1 between sites, set up authenticated modem pools....whatever
gets the job done.
But don't put NT4 on the internet.
:)
Jeremiah
------
"People who have email sigs are generally pretentious."
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Brian Steele
Sent: Wednesday, April 11, 2001 6:56 PM
To: Firewalls Mailing List
Subject: Your opinions please..
Not really a firewall issue - more of a security issue, but as there are a
few security experts on the list..:-)
Situation: Company consisting of two independently operating business units,
let's say A and B. The operations of each unit is governed by its own
internal security procedures, A's being more stringent than B's. The two
business units are connected via a WAN.
B want to install a software package in A's LAN to meet a "critical business
requirement". However:
1. pcAnywhere has to be installed on the server running the
package to allow staff from B to remote control the
server (a Windows NT4 box, btw) when it's installed on
A's LAN.
2. The software on the server will be interfacing with a critical
system on A's LAN. And also with Internet users (via a
firewall - port 80 only).
3. The software requires that the Administrator account be
left logged on on the server's console.
4. The password for remote access via pcAnywhere (and
thus the Administrator password) will be known to several
persons in B.
Now, if you were the sysadmin for A's LAN, would you consider this
arrangement secure enough for internal business use? If not, are there any
steps that you'd take to minimize the risk to your LAN? Or would you be
raising the strongest protests to ensure such a system is not deployed on
your LAN because of the security threat that it poses?
Regards,
Brian
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
