I have. My next question will be to see their latest SAS 70 or sr16 to see if they get away with this at other institutions? Talked with a finance company today that stated they had asked and are continuing to ask for an IpSec tunnel. They do not have certificate anywhere in their install documentation.
From: [email protected] [mailto:[email protected]] On Behalf Of Micheal Espinola Jr Sent: Thursday, December 18, 2014 4:11 PM To: ntsysadm Subject: Re: [NTSysADM] Weird request from a vendor Is there anything else you want to say about this that you already haven't up-front? Just saying port 443 implies that you are referring to HTTPS which also implies encrypted traffic - which is normal for a type of securely transmitted data. If these guys think that just because its on port 443, that automagically makes it secure, well then thats something completely different - and completely stupid. But to you initial question of "You ever heard of someone whitelisting a server on the Internet to push data through a firewall on port 443", yea - thats normal in the context assumed above. Perhaps you should go back to the vendor and go over the exact details of your concerns items-by-item. -- Espi On Thu, Dec 18, 2014 at 1:02 PM, David McSpadden <[email protected]<mailto:[email protected]>> wrote: I am. From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Micheal Espinola Jr Sent: Thursday, December 18, 2014 3:59 PM To: ntsysadm Subject: Re: [NTSysADM] Weird request from a vendor Are you implying that certificates to encrypt the traffic are not going to be involved? -- Espi On Thu, Dec 18, 2014 at 12:53 PM, David McSpadden <[email protected]<mailto:[email protected]>> wrote: Absolutely not encrypted. They are relying on the 443 to make it private. Cracking me up. -----Original Message----- From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Kennedy, Jim Sent: Thursday, December 18, 2014 3:46 PM To: '[email protected]<mailto:[email protected]>' Subject: RE: [NTSysADM] Weird request from a vendor You control the source, you control the destination. I would assume it will be encrypted....verify that. If yes, I don't see the problem. -----Original Message----- From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of David McSpadden Sent: Thursday, December 18, 2014 3:36 PM To: [email protected]<mailto:[email protected]> Subject: RE: [NTSysADM] Weird request from a vendor Vendor x wants to send lending information over port 443 to a webserver on my network that will have a webservice injecting data into a SQL database. So I ask them if we couldn't just create a vpn tunnel from their server through my firewall to the webservice running internally. They reply no just open your firewall and whitelist our address then nat the traffic to the webservice. I am a little more than wondering how they get away with this format for shipping data to financial institutions? -----Original Message----- From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Kurt Buff Sent: Thursday, December 18, 2014 3:32 PM To: [email protected]<mailto:[email protected]> Subject: Re: [NTSysADM] Weird request from a vendor On Thu, Dec 18, 2014 at 12:26 PM, David McSpadden <[email protected]<mailto:[email protected]>> wrote: > You ever heard of someone whitelisting a server on the Internet to > push data through a firewall on port 443? More details needed, but yes, I've put up firewall rules for specific ports and addresses. Very common. Kurt This e-mail and any files transmitted with it are property of Indiana Members Credit Union, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this email is strictly prohibited. Please consider the environment before printing this email. This e-mail and any files transmitted with it are property of Indiana Members Credit Union, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this email is strictly prohibited. Please consider the environment before printing this email. This e-mail and any files transmitted with it are property of Indiana Members Credit Union, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this email is strictly prohibited. Please consider the environment before printing this email. This e-mail and any files transmitted with it are property of Indiana Members Credit Union, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this email is strictly prohibited. Please consider the environment before printing this email.
