Shay Hugi wrote: > > who would be able to sniff my *LOCAL* network? if the web management > is in the same network connected to same switch?.
Anyone that mails a copy of back orifice, renamed to "hotpr0n.exe", to a user with too much time on his hands. > ever heard about Webmin? i'm sure you've heard about this product. > in case you haven't.. they stopped working with SSL because they saw > there's no need for SSL if your'e managing a network device on your > local LAN. It is obvious that the networks I admin have quite different security demands compared to the networks that you admin. If you have a security policy that states "as soon as someone gets a foothold on our 'internal LAN', we might aswell give away everything", I suppose those arguments hold true. Most smaller organizations do set up their network that way (although they probably like to think that they have a firewall and antivirus, so nothing can harm them), so in a sense, I suppose it's reasonable. I'm more at home with segmented networks with two or more firewalls and perhaps half a dozen legs on each box. If I'm at the "most secure" admin LAN behind firewall A, and need to cross another network to admin firewall B, I don't want people on that transit network to use info from my admin channel to take over firewall B, simply on defense in depth principles. Even if you don't have as many segments, you still ought to guard your firewall admin interface as soon as the organization grows beyond something like 20 users. Up to that point, you can (maybe) have some control over what's going on, but once you get beyond that, you get disgruntled employees, "power users" that want to do a bit of P2P file sharing to get some new music or games... or hotpr0n.exe. If things like that aren't a problem to you, I guess all is fine with using virtually unprotected firewall admin interfaces. If that is indeed Webmin's target segment, I guess all is fine there too. If on the other hand they're targetting bigger organizations with higher demands for security, and blatantly lie to them by saying "hey, you don't really need authentication!", someone ought to apply a clue-by-4 to their skulls. -- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 �RNSK�LDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls
