>
>
>A vendor of an on-line database asks that we open our firewall to their
entire
>Class B address space for both UDP and TCP on ports 8000 thru 9120.
>
>I have been asked to quantify the risks involved. My initial list includes:
>
>Why do they need their entire Class B? This allows ANYONE in their domain
>access.
>
>Why do they want 1120 ports of both UDP or TCP? This seems a little large to
>me.
>
>Any words of wisdom from admins "who have been there" that I can use to
>bolster my initial "This is a BAD IDEA" reaction to upper management would be
>appreciated.
>
>Thanks,
>Tom Mooney
>Senior UNIX System Administrator
>
>
>
>����
>����
>
Tom,
Mildly putting it - "They are out of their minds" (although you may
want to rephrase this to be somewhat more diplomatic). A connection
between their database & your internal LAN/WAN through your firewall
configured as you mentioned puts your internal LAN/WAN at a serious risk.
Assuming you have no other choice in matter & your manager says make
the connection or find another job, there are almost always alternatives
to ugly situations:
1) Send a mail (cc: to yourself and at least one other trustworthy person)
indicating the risks and your disapproval of the connection. Print out
the mail, sign & date it, and mail it to your home address. Take the
unopened envelope and file it away for safekeeping (you may need it if
anything ever happens).
2) Find a way to minimize the risk (& hope for the best).
There are a few ways of minimizing the risk, but the least risky one
that comes to mind right now (10pm) is to have the connection tied
to an isolated network segment (ie - isolated = not connected to any
other networks, all network connections taped up, etc.) where the
db info is accessed and transferred via sneakernet to your internal
LAN/WAN. This segment can be protected by your outside router or a
firewall with subnetting capability. (If you decide to go this route,
make *Very* sure you are very careful about setting up your rules.)
Triple-check your work and then have a second person confirm your
configuration is correct.
If you want a long song & dance on the risks of what they are proposing,
either grab a copy of Cheswick & Bellovin's wonderful book entitled
"Firewalls & Internet Security" or send me a mail.
The above comes from my experience in a previous life as a National
Information Security Operations Officer for a major high-tech company
where I have had to handle similar problems as the one you posed.
(Some were actually pretty bizarre, but that's another story...)
Best Regards,
Frank
PS - If you need any more help on this, drop me a line with your phone
number & I will try to help you more.
Fortified Networks Inc.
http://www.fortified.com/fortified
Fortified Networks Inc.
http://www.fortified.com/fortified
Expert Management & Information Security Consulting
<standard disclaimer>
The opinions expressed above are of the author and may not
necessarily be representative of Fortified Networks Inc.
|
|
