Hi Mark, I'm afraid I'm going to adopt the first solution... We are a 20 person company and a simple and cheap solution (altough less transparent, I agree) will be at our reach... And the flaws of the first solution can be avoided in a small company... Thanks, Karim AMRANI [EMAIL PROTECTED] wrote: > Remove the modem, insert a modem pool device that provides uses one of the > standard Authentication and Authorization Protocols (RADIUS,TACACS, > TACACS+), then you will have some logging and some granular control of > what the user can do using a modem. > > The second action to take is go to you telecomm guy and restrict the > lines, so that they can only dial out and a would be intruder will not be > able to dial them back or dial into that modem, just in case some user > flips the modem into auto answer mode. > > The reason the below logic does not work is that if a user is used to > doing things one way for a very long time, all changes to any organization > security architecture should be transparent to the user. In some cases, > this cannot be done, but in most cases, a user doesn't even know they are > communicating to the Internet via a firewall, or that his/her's email is > being scrubbed by some sort of virus/content scanner. > > The more noticeable the security architecture the greater the possibility > a user may attempt to avoid any of the security mechanisms that they know > about. > > /mark > > Tom Rowan <[EMAIL PROTECTED]> > Sent by: [EMAIL PROTECTED] > 06/08/00 07:22 AM > > > To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>, fw mailing list > <[EMAIL PROTECTED]> > cc: > Subject: RE: [FW1] modem internet access on the internal LAN > > Hi, > > With the greatest of respect, the wrong thing that you're doing is > bypassing > your firewall!!! Why spend all that money on huge, expensive titanium > padlocks if you're going to leave them undone?! > > 1) Remove the modems. > 2) Buy a standalone PC. Put a modem in it but NO network card. > 3) Stick a skull and cross bones on it and never trust it again. > > Well okay, perhaps number 3 is a bit extreme, but you get my point? ;-) > > Tom > > -----Original Message----- > From: Karim Amrani [mailto:[EMAIL PROTECTED]] > Sent: Thursday, June 08, 2000 2:25 PM > To: fw mailing list > Subject: [FW1] modem internet access on the internal LAN > > Hi everybody, > > Some users of the internal LAN of our firewall still use modems to > connect to internet (used to check the visibility of our web sites from > outside the firewall, mainly). > > On their PC, they have an Ethernet card and a ISDN card. > As I saw some of IP addresses they got from the modem ISP in the IP > database of the FW, it means that their PC is leaking its ISDN's IP on > the ethernet LAN... > > Am I wrong somewhere ? > May this be corrected by some configuration on the PC ? > > TIA, > Karim AMRANI > > Allasso > Theale House > Brunel Road > Theale, Reading > RG7 4AQ > +44 (0) 118 9711511 > > [EMAIL PROTECTED] > http://www.allasso.com > > DISCLAIMER > Any opinions expressed in this email are those of the individual and not > necessarily the Company. This email and any files transmitted with it, > including replies and forwarded copies (which may contain alterations) > subsequently transmitted from the Company, are confidential and solely for > the use of the intended recipient. It may contain material protected by > attorney-client privilege. If you are not the intended recipient or the > person responsible for delivering to the intended recipient, be advised > that you have received this email in error and that any use is strictly > prohibited. > > If you have received this email in error please notify the IT manager by > telephone on +44 (0)118 9711511 or via email to > [EMAIL PROTECTED], including a copy of this message. Please > then delete this email and destroy any copies of it. > > ================================================================================ > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================================================ > > ================================================================================ > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================================================
begin:vcard n:AMRANI;Karim tel;cell:00 33 6 14 64 72 28 tel;fax:00 33 5 46 28 15 01 tel;work:00 33 5 46 28 15 00 x-mozilla-html:TRUE url:www.pole-n.com org:COGELOG/Pole-N adr:;;;La Rochelle;;17000;France version:2.1 email;internet:[EMAIL PROTECTED] title:Architecte R�seaux fn:Karim AMRANI end:vcard
