Rens,
your comment:
>
>Should you restrict users on the internal network to communicate to the Internet?
>
>We've installed a firewall that works two ways. We consider the internal network
>as save (or unsave) as the Internet. So every connection that originates from within the internal network has to go through our firewall as well.
>
>This creates an extra checkpoint! If someone should compromise a system on our internal network and want's to hop to another network he'll be blocked and/or noticed by our firewall.
:-)
interesting points.
rule #6 of cracking. The front door is most often well guarded; use a side/back
door for initial entry (modem?), but remember that the use of the front door
to forward data can be quite useful, since its often a high speed link.
e.g. break-in via a slow link, and use the high-speed firewall to dump the
stolen date (source code whatever) *out* through the firewall.
No I'm not a cracker, I just train sys-admins to "know your enemy".
your other question:
>
>What risks are to be considered when a PC on the internal network can make unrestricted connections to the internet?
>
I'm assuming your firewall model applies to these PC's as well.
No greater risk than anything else. :-)
PC's pose a slightly higher risk to the *internal* network since there is no
unprivledged mode.
e.g. any-pc-user can run a sniffer program to snoop passwords.
If your internal controls/policies restrict root on systems, then this is a
little tougher on unix systems.
=======================================================================
Brad Powell : brad .
powell @
Sun .
COM |
|
Full Time: Sr. Network Security Analyst |Part time: Cyberspace PI
Computer/Information Security.| and Consultant
Sun Microsystems Inc. |
=======================================================================
The views expressed are those of the author and may
not reflect the views of Sun Microsystems Inc.
=======================================================================
>From Firewalls-Owner @
GreatCircle .
COM Tue Feb 8 04:35:24 1994
>Date: Tue, 8 Feb 94 12:30:48 GMT
>To: firewalls @
GreatCircle .
COM
>Subject: restricting Internet Access
>Precedence: bulk
>X-Lines: 28
>
>Hi Folks,
>
>I have been reading the firewall-list for some time now and find it very usefull. But there is one discussion I have not seen on this list, and that is;
>
>Should you restrict users on the internal network to communicate to the Internet?
>
>We've installed a firewall that works two ways. We consider the internal network
>as save (or unsave) as the Internet. So every connection that originates from within the internal network has to go through our firewall as well.
>
>This creates an extra checkpoint! If someone should compromise a system on our internal network and want's to hop to another network he'll be blocked and/or noticed by our firewall.
>
>Beside this question I have a more general question on security as well;
>
>What risks are to be considered when a PC on the internal network can make unrestricted connections to the internet?
>
>I need some arguments to use in defending our point of view regarding our firewall concept.
>
>Thanks,
>
>Rens Schipper
>
>
>
> _/_/_/ _/ _/ _/ _/_/ _/_/Rens Schipper EMAIL:rens @
rivm .
nl,bnf @
rivm .
nl
> _/ _/ _/ _/ _/ _/ _/_/ _/Network Management and Facilities (BNF)
> _/_/_/ _/ _/ _/ _/ _/ _/National Institute Of Public Health And
> _/ _/ _/ _/_/ _/ _/Environmental Protection(RIVM), The Netherlands,
>_/ _/ _/ _/ _/ _/PO box 1, 3720 BA, BILTHOVEN, tel:3130-743123
>
|
|
