On 10 Oct 1997, Ryan Russell/SYBASE wrote:
> So, if I'm one of these non-employees, and I decide
> to access your intranet, then I will have to telnet
> to one of the employee machines first?
>
> (I say telnet, but it could be just about any protocol..
> even me dropping a trojan file of some sort on
> the fileshare of one of the employee's Win95 boxes.)
I tend to use HTTP proxies these days as an example of this. Employee A
sets up a caching proxy on her local machine, then proceedes to use it to
access the intranet, and authenticates. Non-employee B points to
Employee A's proxy, and has access to the intranet. This even works with
VPNs (It's always been a tennant that allowing unencrypted access to an
encrypted machine _breaks_ the crypto model.) Add browsers that go and
get updates, like MSIE 4.0, and open fileshares, and the problem gets worse.
At this point, total control of the desktop software and configuration
are about the only way of gaining a bit of control over this, outside of
denying access completely.
Castle gates are only effective against attack when they're barred against
attack. If all the serfs aren't behind the walls, your chances of being
overrun increase significantly. The enemy, of course, would love to
dress up as a bunch of serfs and sneak in.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
proberts @
clark .
net which may have no basis whatsoever in fact."
PSB#9280
References:
|
|
