In my opinion this is not very secure. It is something like guard the
frontdoor with a army and let the back door wide open.
A attackker would probably use this because it is the easiest way. I'm
not sure if Windows95 or NT can or will route pakkets between to
segments. But a hacker can change the systems to do so.
I realyze it is a problem to prevent users from getting their own dailup
account. Just offer them the same or better service from your WAN or
make it cheaper for them. Also inform them properly about the risks they
create.
Also make it a company-rule that it is forbidden. If they break the rule
just disconnect them from yout WAN.
you have to make sure the management agree with this.
Good luck,
Hans Grutter
>----------
>Van: klinec @
mapcoinc .
com[SMTP:klinec @
mapcoinc .
com]
>Verzonden: vrijdag 27 februari 1998 21:42
>Aan: Firewalls @
GreatCircle .
COM
>Onderwerp: Dial-up security breach?
>
>This is a little off-topic, but I thought I would try it anyway.
>
>We provide Internet access to 300 users enterprise-wide through our
>frame-relay WAN connections and our firewall at our corporate headquarters.
>Some users have decided to go out and get accounts with local ISPs and have
>dial-up connections in Windows95 or Windows NT to these ISPs. How much of
>a security risk does everyone think this may be? Since these users are
>typically dynamically assigned an IP address when they log in to their ISP,
>they then have TWO IP addresses on their system. One for the network card
>and one for the dial-up PPP connection. Could an attacker use this
>situation to attack our network? How likely is this?
>
>We are trying to eradicate this from our network, but some of these users
>are pretty stubborn.
>
>Thanks,
>Curtis Kline
>Network System Engineer
>MAPCO Coal, Inc.
>Tulsa, OK
>
>
>
>
Follow-Ups:
|
|
