Firewalls: RE: Dial-up security breach?

Firewalls
(March 1998)

Indexed By Thread: [Previous] [Next]

Subject:	RE: Dial-up security breach?
From:	Michael Simonyi <msimonyi @ woodbridge . com>
Date:	Mon, 2 Mar 1998 14:52:26 -0500
To:	"'GRJN @ pggm . nl'" <GRJN @ pggm . nl>, "Firewalls @ GreatCircle . COM" <Firewalls @ GreatCircle . COM>, "klinec @ mapcoinc . com" <klinec @ mapcoinc . com>

Sorry to jump in like this,

If you have two cards in the machine, you definitely want to make sure you 
disable routing between the cards.

>A attackker would probably use this because it is the easiest way. I'm
>not sure if Windows95 or NT can or will route pakkets between to
>segments. But a hacker can change  the systems to do so.

You may want to setup system policies and machine policies using user 
profiles and hardware profiles to prevent this also.  It works great on NT 
systems, Win95 can still be coerced, but the profiles get reloaded upon 
logon again.  This tends to gets users really frustrated.  It also starts 
to give you a good idea of who is playing around with their machine.  They 
will typically call you and let you know that they can't perform a specific 
function that should be reserved for admin use only.

Mike

-----Original Message-----
From:	GRJN @
 pggm .
 nl [SMTP:GRJN @
 pggm .
 nl]
Sent:	Monday, March 02, 1998 4:06 AM
To:	Firewalls @
 GreatCircle .
 COM; klinec @
 mapcoinc .
 com
Subject:	AW: Dial-up security breach?


In my opinion this is not very secure. It is something like guard the
frontdoor with a army and let the back door wide open.

A attackker would probably use this because it is the easiest way. I'm
not sure if Windows95 or NT can or will route pakkets between to
segments. But a hacker can change  the systems to do so.

I realyze it is a problem to prevent users from getting their own dailup
account. Just offer them the same or better service from your WAN or
make it cheaper for them. Also inform them properly about the risks they
create.

Also make it a company-rule that it is forbidden. If they break the rule
just disconnect them from yout WAN.
you have to make sure the management agree with this.

Good luck,

Hans Grutter





>----------
>Van: 	klinec @
 mapcoinc .
 com[SMTP:klinec @
 mapcoinc .
 com]
>Verzonden: 	vrijdag 27 februari 1998 21:42
>Aan: 	Firewalls @
 GreatCircle .
 COM
>Onderwerp: 	Dial-up security breach?
>
>This is a little off-topic, but I thought I would try it anyway.
>
>We provide Internet access to 300 users enterprise-wide through our
>frame-relay WAN connections and our firewall at our corporate 
headquarters.
>Some users have decided to go out and get accounts with local ISPs and 
have
>dial-up connections in Windows95 or Windows NT to these ISPs.  How much of
>a security risk does everyone think this may be?  Since these users are
>typically dynamically assigned an IP address when they log in to their 
ISP,
>they then have TWO IP addresses on their system.  One for the network card
>and one for the dial-up PPP connection.  Could an attacker use this
>situation to attack our network?  How likely is this?
>
>We are trying to eradicate this from our network, but some of these users
>are pretty stubborn.
>
>Thanks,
>Curtis Kline
>Network System Engineer
>MAPCO Coal, Inc.
>Tulsa, OK
>
>
>
>

Indexed By Date	Previous:	Re: Infosec Accountability - 2 cents more From: spaf @ cs . purdue . edu (Gene Spafford) (by way of Vin McLellan)
Indexed By Date	Next:	Re: Re[2]: Use the CISSP, Luke (was Re: Certifiying Security Aud From: "Paul D. Robertson" <proberts @ clark . net>
Indexed By Thread	Previous:	RE: Re: Dial-up security breach? From: Bates Dorene <batesd @ drum-emh4 . army . mil>
Indexed By Thread	Next:	Re: You have been traced!!! (I just received this in response to a FW posting). From: mht @ clark . net