At 03:23 PM 4/12/96 +-200, Gavin Ferreiro wrote:
>Let's say I put packet filtering rules on the router that seperates
>our LAN from the external gateway to only permit them telnet and ftp
>access to specific machines. Would it be possible for them to:
>telnet to a machine they are allowed to on our LAN, then
>telnet from there through the Internet gateway?
Yes, unless you block those specific machines from getting out to the
Internet also.
In addition they will have a launch point for attacking your other internal
machines if they choose to. (Of course if you catch them doing this it
will cost them lots of $$$ if the contracts are right.)
>
>Do I need to put rules on the Internet router to disallow this?
>
Yes, but you are limited to blocking connections from their IP addresses to
the Internet and to blocking the selected internal systems.
If you add an authenticating firewall you could force everyone going out to
the Internet to authenticate on the way OUT, not just on the way in. It
becomes a question of cost and convenience for the rest of your users vs. a
slight additional risk of additional traffic.
Maybe it's enough to make the rules clear to the support organization, log
every inbound and outbound connection on the systems in question and button
down the systems in question (hire a UNIX security expert or read, read,
read and practice.)
Adam Safier
CSC-SED-Infosec
asafier @
csc .
com
"If you show me yours, I still won't show you mine."
Expressed opinions are my own and might not be shared by my employer or
anyone else.
|
|
