Peter Summers, Computer Engineer, Cardiology wrote :
>
> > Do your PCs need to talk to your Unix box ? Do they need to talk to the
> > outside ? If the answer to both is yes, there is a risk (btw, what do you
> > mean by "significant" ?)
>
> The PCs need to talk to the UNIX box.
>
> The users of the PCs would like to access the Internet, for all the
> usual reasons (news, mail, Mosaic, etc.).
>
> By significant, I mean a risk that would preclude giving the PC users
> Internet access.
>
> > Obvious backdoors are Telnet (first from to the outside to a PC, then from
> > that PC to the Unix box) and FTP (send a file to a PC, then from there to
> > the Unix box using 3rd-party FTP and/or Telnet). Depending on your set-up,
> > there may be others.
>
> The system is installed in a pathology lab. Clearly, anything
> capable of allowing incoming Telnet would need to be banned. My
> question is really, what other PC software might be security risk?
> Could FTP, outgoing Telnet software, or Mosaic be a problem?
>
Well, *anything* can be a problem if it has the right security holes active :-)
More to the point, I don't *think* outgoing telnet or FTP is a likely risk.
Incoming FTP (ie FTP server on your PCs) could be, though. You also need to be
careful about such things as mail/news, but they should be OK if properly done.
Avoid unauthenticated servers such as BOOTP/TFTP. As to Mosaic, I still don't
understand enough about how it works for a meaningful answer. Anybody out there
cares to field that one ?
BTW, I'm on firewalls, so you don't need to send to me *and* firewalls. Feel
free, however, to forward this to firewalls (I didn't send it there, since
I'm not sure you're a member).
Regards
--
Michel Lavondes
E-Mail : lavondes @
tidtest .
total .
fr
lavondes%tidtest .
total .
fr @
pegase .
total .
fr (if previous addr rejected)
Tel : +33-1-4135-4198
Fax : +33-1-4135-4189
References:
|
|
