If I were A's sysadmin, I would protest (strong protest).
>From your description, this system was "designed" with little
thought given to security until it was presented to unit A.
Security as an afterthought (as with any other system change
made late in the development process) usually provides little
return compared to the cost of the retrofitting.
I would also provide to both units A and B, a list of all the
things that could go wrong, what business systems would be
affected if they went wrong, and the cost to repair/rebuild/replace
those systems.
The decision will rest on the perceived value of the "business critical
application" and the perceived potential loss of value from security
problems introduced by the application.
It's always a judgement call, and the playing field is usually tilted
in favor of the "critical business requirement". After all, if it
REALLY IS CRITICAL, the company may fold, or suffer so greatly that
it no longer needs its secure network computing facilities, if it
doesn't implement the system in question.
On Wed, Apr 11, 2001 at 09:55:54PM -0400, Brian Steele wrote:
> Not really a firewall issue - more of a security issue, but as there are a
> few security experts on the list..:-)
>
> Situation: Company consisting of two independently operating business units,
> let's say A and B. The operations of each unit is governed by its own
> internal security procedures, A's being more stringent than B's. The two
> business units are connected via a WAN.
>
> B want to install a software package in A's LAN to meet a "critical business
> requirement". However:
>
> 1. pcAnywhere has to be installed on the server running the
> package to allow staff from B to remote control the
> server (a Windows NT4 box, btw) when it's installed on
> A's LAN.
>
> 2. The software on the server will be interfacing with a critical
> system on A's LAN. And also with Internet users (via a
> firewall - port 80 only).
>
> 3. The software requires that the Administrator account be
> left logged on on the server's console.
>
> 4. The password for remote access via pcAnywhere (and
> thus the Administrator password) will be known to several
> persons in B.
>
> Now, if you were the sysadmin for A's LAN, would you consider this
> arrangement secure enough for internal business use? If not, are there any
> steps that you'd take to minimize the risk to your LAN? Or would you be
> raising the strongest protests to ensure such a system is not deployed on
> your LAN because of the security threat that it poses?
>
> Regards,
> Brian
>
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
--
Jim Traeber
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
