>>>>> On Tue, 8 Feb 94 12:30:48 GMT, Rens .
nl (Rens Schipper) said:
Wow, another Rens! Welcome.
Schipper> Should you restrict users on the internal network to
Schipper> communicate to the Internet?
I find it useful to put user-level access control at the firewall. I
have several 'problem' users who insist on downloading huge amounts of
software over our relatively slow T1 that are already mirrored
locally. They can be stopped this way. It also helps to block out
notorious MUDs, etc.
Schipper> We've installed a firewall that works two ways. We
Schipper> consider the internal network as save (or unsave) as the
Schipper> Internet. So every connection that originates from within
Schipper> the internal network has to go through our firewall as
I'm confused by this; do you mean internal->internal connections go
through the firewall? Or do you mean you need to stop internal people
from cracking external machines?? I find that if you have to protect
yourself against internal users, the best recurse usually involves
security guards and not technical solutions.
Schipper> This creates an extra checkpoint! If someone should
Schipper> compromise a system on our internal network and want's to
Schipper> hop to another network he'll be blocked and/or noticed by
Schipper> our firewall.
But how do you distinguish between legitimate and illegitimate
outbound traffic? telnet is telnet.
Schipper> What risks are to be considered when a PC on the internal
Schipper> network can make unrestricted connections to the internet?
If you use an application relayer, like SOCKS, then your main problem
is accountability; typically the PC user can spoof any deired user.
Make sure you are not using ruserok authentication on the firewall. My
firewall only allows access to the machine via the console, which is
on a terminal server and thus acessible anywhere on the internal net.
There are safeguards...silent monitoring stuff.
| J. Laurens Troost - UNIX Systems | At Work: rens @
| Investment Management Svcs, Inc. | At Play: rens @
| 12 East 49th Street, 35th floor | Phone: (212) 339-2823 |
| New York, New York 10017 | Fax: (212) 339-2854 |
-- IMS is unlikely to share any of the above opinions --