> Currently, we only allow users in our company to connect to external
> sites from Secured systems only. By that, I mean systems that are maintained
> by MIS according to some predefined "rules of engagement".
> Now we have some people who would like to be able to connect to
> other internet sites from such things as Lab systems (where 100
> employees know root's pw) to PCs/MACs at home (who have slip connections
> to our net).
> Something about giving "unchecked" access to the Internet just doesnt
> feel right to me. Am I being prudent or simply "Self appointed Internet
> Guardian". Either way you see it, tell me why. What are other
> company's takes on this issue?
IMHO, you are being prudent. You want to have some way to track down
your own employees when they do things they shouldn't. When you get one
of those "someone from your company has been trying to break into our
site" calls, you need to be ready to determine the validity of the
claim. If you let anyone anywhere out, one of your employees (or
contractors) could pop a PC on the network, do some nastiness, and then
With "unchecked" access, you may find that your users may put holes in your
firewalls. If you let everyone everywhere do FTP out, the first thing
that some users will do is put telnet on a port > 1023 so they can
"conveniently" log into their own machine from the Internet. They may
put other things up in those ports, like a tcp relaying program. I have
seen both of these things happen.
At Intel, we try (although we don't always succeed) to limit access to
certain machines and subnets. We are looking at proxy services like
socks but are worried about authenticating users on the client systems
(please don't turn this into a ident discussion).
> | PATRICK H LARKIN, JR. - System Administrator, Interphase Corp, Dallas |
> | "Remember 'Rock Climbing'? Now we have 'Hypno-Helio-Static-Stasis'!" |
> | -- Dr. Clayton Forrester, Deep 13 - MST 3000 |