I've had a similar problem at a site where users should have known
better. Only certain individuals were allowed modems, and presumably they
were savvy enough to understand the security risks. One (that we know of)
wasn't: He configured Chameleon to route. Backdoor. Bad Thing(tm). We
caught him at it because we started seeing packets that should not have
been on the internal net, and they had his system's MAC address. He
wasn't doing this maliciously, but was just experimenting with his new
software that he bought at Egghead. ALL users lost their modems most
ricky tic.
If you are serious about security, don't go out and spend $50,000 on a
firewall package, system to run it on, time to set it up, and then leave
modems plugged into everything, including the pump on the lobby fish tank.
Set up a UNIX system on a bastion segment, and make users telnet through
to this, log in, and then dial out, or set up a NCSI/NASI modem pool for
users running Windoze (AFAIK, you still need IPX for this, but I haven't
looked into it lately).
You might get away with local modems at a small site, where you can keep
an eye on everyone. At a large site, you'll have someone who's
brother-in-law's neighbor tells him about this great PC Anywhere package,
etc., and it'll be set up for dial-in before you know it. Users love to
get around getting a "home" ISP account by connecting in to the office.
- r.w.
>
> as I said...there is a basic routing protocol.
> NT can be configured quite easily, 95 sux. but it is still routable
> (esp using some freeware available over the net), and dos/3.1/3.11
> while a REAL pain is also configurable.
>
> I can route traffic from a modem to the LAN to a WAN. I do it now,
> but outside the trusted network. If you want details on how to do
> this, with only the native OS, mail me personally
> (doshai @
pip .
com .
au). The problem is that it is more of a
> nucense...you need individual static routes for alot of points. Very
> time consuming.
> most users will not know of the M$ route add command (a rip off of
> the Unix one, but some will).
>
References:
|
|
