requirement #3 is the one that looks fatal to me.
if it were excluded (and if I was willing to put in the work to implement
it) I offer the following option
install a citrix server on A's LAN that requires strong authentication and
128 bit encryption to access (in my case I use Defender challange-response
with hardware tokens)
allow PCAnywhere access from this citrix machine to the server that B is
placing on A's LAN.
this ensures that access to the citrix/PCanywhere machine can be traced to
an individual and the encryption combined with the strong authentication
should keep anyone else out.
once B's people have accessed the citrix server they can then run
PCanywhere without it going outside your security perimiter.
now this assumes that you would be willing to run PCAnywhere from one
machine on A's lan to another machine on the same network segment. this is
really not the desired way to do buisness, but may be seen as a reasonable
compramise, at least the bad traffic is kept inside your harder perimiter.
unfortunantly if the software requires that the login be maintained over
time you have other problems.
I believe that if you are _really_ careful with citrix you can disconnect
but keep your NT session live, this would allow someone to login, start
the software and disconnect without logging out (and killing PCAnywhere
any your software) when they go to connect again they again get strongly
authenticated. this won't work with multiple people as only one person
would be able to access that session.
David Lang
On Wed, 11 Apr 2001, Brian Steele wrote:
> Date: Wed, 11 Apr 2001 21:55:54 -0400
> From: Brian Steele <[EMAIL PROTECTED]>
> To: Firewalls Mailing List <[EMAIL PROTECTED]>
> Subject: Your opinions please..
>
> Not really a firewall issue - more of a security issue, but as there are a
> few security experts on the list..:-)
>
> Situation: Company consisting of two independently operating business units,
> let's say A and B. The operations of each unit is governed by its own
> internal security procedures, A's being more stringent than B's. The two
> business units are connected via a WAN.
>
> B want to install a software package in A's LAN to meet a "critical business
> requirement". However:
>
> 1. pcAnywhere has to be installed on the server running the
> package to allow staff from B to remote control the
> server (a Windows NT4 box, btw) when it's installed on
> A's LAN.
>
> 2. The software on the server will be interfacing with a critical
> system on A's LAN. And also with Internet users (via a
> firewall - port 80 only).
>
> 3. The software requires that the Administrator account be
> left logged on on the server's console.
>
> 4. The password for remote access via pcAnywhere (and
> thus the Administrator password) will be known to several
> persons in B.
>
> Now, if you were the sysadmin for A's LAN, would you consider this
> arrangement secure enough for internal business use? If not, are there any
> steps that you'd take to minimize the risk to your LAN? Or would you be
> raising the strongest protests to ensure such a system is not deployed on
> your LAN because of the security threat that it poses?
>
> Regards,
> Brian
>
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
