Your third choice (if management will back you) is to contract
that they won't bounce, use a tty sniffer* to watch their actions, and
then recover damages if they hop on.
You might also use some form of process accounting to see what
programs they invoke, and challenge them on it. Install a wrapper
around (telnet, rsh, rlogin, ssh, etc). Use a restricted shell that
only allows them a certain path, and give them a short list of useful
tools (sed, awk, agrep, ps) to do their work, but nothing else without
* I say a TTY sniffer because of course you are using an
encrypted telnet to come in over the internet.
Ryan Russell/SYBASE wrote:
| Your two choices are to put the hosts they do get
| access to into a DMZ, or to increase security on all
| the other hosts in your network. In your net, option
| 2 probably isn't practical.
| ---------- Previous Message ----------
| From: khanhi @ emirates.com (Hidayatullah Khan) @ smtp
| Subject: Restrict Springboarding
| Hello All,
| Ours is a large organization with a class B addressing. We have a
| firewall in place to allow outgoing web and mail services. Often we
| have vendors coming in to our systems to support thier applications. Our
| firewall is configured to allow the vendors to telnet to specific hosts.
| On a couple of occasions I have noticed a vendor's presence on a
| different host for which he was not intended to. My question is how can
| we restrict a vendor from "springboarding" (i.e telnetting to other
| machines on our network) from the actual specific host.
| Thanks in Adv,
"It is seldom that liberty of any kind is lost all at once."