I've seen this many times where a user feels a particular need for a service
that the firewall does not support. In every case I can remember, we didn't
feel the service could be safely supported through the WAN, and therefore
we certainly didn't want it running through a dial-up link.
For the user, who whines like my 5 year old nephew that he really, really
neeeeeeeeeeds <insert your scary protocol here> to the desktop,
the rule is that the workstation must come off the network and become
a sacrificial lamb. That forces the user to choose between corporate
connectivity and department e-mail, or the service.
Bottom line: we understand the need for an occasional non-compliant
dial-out (repeat outbound. once again, that's outbound. :^) but not
on a network station.
Contractor, US Department of State
On Monday, March 02, 1998 12:04 AM, Nance, Kenneth [SMTP:nancek @
> When we talk security, the issue is what are we trying to protect at
> what cost?
> We can impose the hardware, software, firmware and procedural techniques
> to secure our information and avoid denial of service. Looking at this
> from the aspect of securing the information, there are some
> vulnerabilities when e-mail applications (unencrypted) are used. Where
> does the mail sit prior to delivery?
> I want to discuss more but, I'll try to get back with you.
> >From: Henry Hertz Hobbit[SMTP:hhhobbit @
> >Sent: Sunday, March 01, 1998 9:38 AM
> >To: klinec @
> >Cc: Firewalls @
> >Subject: Re: Dial-up security breach?
> >On Fri, 27 Feb 1998 klinec @
> >> This is a little off-topic, but I thought I would try it anyway.
> >> We provide Internet access to 300 users enterprise-wide through
> >> our frame-relay WAN connections and our firewall at our corporate
> >> headquarters. Some users have decided to go out and get accounts
> >> with local ISPs and have dial-up connections in Windows95 or
> >> Windows NT to these ISPs. How much of a security risk does
> >> everyone think this may be? Since these users are typically
> >> dynamically assigned an IP address when they log in to their ISP,
> >> they then have TWO IP addresses on their system. One for the
> >> network card and one for the dial-up PPP connection. Could an
> >> attacker use this situation to attack our network? How likely
> >> is this?
> >> We are trying to eradicate this from our network, but some of
> >> these users are pretty stubborn.
> >I don't understand what they have to be stubborn about. Why do
> >they need internet access TWO ways? It gives two ways in, and
> >even if an attack isn't found it soon will be 8^). Also, all
> >of those dial-up analog lines (assuming interior of company's
> >phone lines are digital) are costing your company $$. Me and a
> >friend were discussing this, and we believe we could access the
> >files on the PC. Sounds to me like you just made your firewall
> >pointless and useless. I know companies that have had firewalls
> >that were never breached, but the modem bank for home access
> >to employees caused numerous break-ins.
> >Yank their phone lines...
> >The Hobbit (NOT the netcat one)