Great Circle Associates Firewalls
(January 1994) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: I too need Opinions
From: sedayao @ argus . intel . com (Jeffrey C. Sedayao)
Date: Thu, 6 Jan 94 16:44:49 PST
To: plarkin @ iphase . com
Cc: firewalls @ GreatCircle . COM
In-reply-to: <9401062235 . AA14700 @ chip . iphase . com> from "Patrick Larkin Jr" at Jan 6, 94 04:35:31 pm 
> Currently, we only allow users in our company to connect to external
> sites from Secured systems only.  By that, I mean systems that are maintained
> by MIS according to some predefined "rules of engagement".
 
> Now we have some people who would like to be able to connect to
> other internet sites from such things as Lab systems (where 100
> employees know root's pw) to PCs/MACs at home (who have slip connections
> to our net).
 
> Something about giving "unchecked" access to the Internet just doesnt
> feel right to me.  Am I being prudent or simply "Self appointed Internet
> Guardian".   Either way you see it, tell me why.  What are other 
> company's takes on this issue?
 
IMHO, you are being prudent.  You want to have some way to track down
your own employees when they do things they shouldn't.  When you get one
of those "someone from your company has been trying to break into our
site" calls, you need to be ready to determine the validity of the
claim.  If you let anyone anywhere out, one of your employees (or 
contractors) could pop a PC on the network, do some nastiness, and then 
just disappear.

With "unchecked" access, you may find that your users may put holes in your 
firewalls.  If you let everyone everywhere do FTP out, the first thing 
that some users will do is put telnet on a port > 1023 so they can 
"conveniently" log into their own machine from the Internet.   They may
put other things up in those ports, like a tcp relaying program.  I have 
seen both of these things happen.

At Intel, we try (although we don't always succeed) to limit access to
certain machines and subnets.   We are looking at proxy services like
socks but are worried about authenticating users on the client systems
(please don't turn this into a ident discussion).

> Thanks,
> -- 
> +=======================================================================+
> | PATRICK H LARKIN, JR. - System Administrator, Interphase Corp, Dallas |
> |>---------------------------------------------------------------------<|
> | "Remember 'Rock Climbing'?  Now we have 'Hypno-Helio-Static-Stasis'!" |
> |             -- Dr. Clayton Forrester, Deep 13 - MST 3000              |
>  \_____________________________________________________________________/
> 


-- 
Jeff Sedayao
Intel Corporation
sedayao @
 argus .
 intel .
 com
References:
Indexed By Date Previous: Re: Q re: WWW, mosaic, http
From: Chuck Buda <cbuda @ bluejay . creighton . edu>
Next: SunOS 4.x chroot(2)
From: bb @ math . ufl . edu
Indexed By Thread Previous: I too need Opinions
From: plarkin @ iphase . com (Patrick Larkin Jr)
Next: Q re: WWW, mosaic, http
From: jimc @ jts . com
Google
 
Search Internet Search www.greatcircle.com