Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] Reasons against opening I-net access..

To: Joe Delsol <[email protected]>, "FW-1 List (E-mail)" <[email protected]>
Subject: Re: [FW1] Reasons against opening I-net access..
From: Jason Witty <[email protected]>
Date: Thu, 07 Sep 2000 19:15:50 -0500
In-reply-to: <[email protected]>
Sender: [email protected]

Joe,

I could ramble on about the dangers of this for hours, but here's a few of
the heavy hitting reasons not to do so:

1) The misuse possibilities are endless - internal users could bridge your
network by using outbound VPN connections (PPTP, GRE tunnels, SOCKS, for
example), things like Napster, Quake, AOL, AOL Instant Messager, IRC,
Pointcast, and a host of other non-business related utilities would all
work.  This could massively degrade your bandwidth utilization, not to
mention promote loss of productivity costs.

2) Nothing would prevent users from using non-encrypted protocols to send
your confidential information over the Internet - telnet (including tn5250,
tn3270), FTP, SMTP, etc.

3) If you don't have spoof protection installed perfectly, an attacker can
easily craft packets such that state table connections get made that look
like they came from the inside network.  Then, the attacker can exploit
things like the recently discovered FTP-PORT, FTP-PASV, Simplex TCP
Connections, and RSH stderr handling exploits to ride the open channel back
into your network (see http://www.dataprotect.com/bh2000/blackhat-fw1.txt
for more info on this.)

4) Nothing would prevent the next trojan horse or even internet worm from
propagating out of your network.  How would management feel if the next
worm virus simply posted all your IP, username, password, and *.doc files
to a public IRC chat room?   

5) Same thing in #4 applies to hostile JAVA and ActiveX code.  Heard of
BrownOrifice?  See
http://securityportal.com/list-archive/bugtraq/2000/Aug/0146.html ,
entitled "Brown Orifice Can Break Firewalls!"

6) Stepping down from the soapbox, there's a lot of other reasons not to do
that.  Doing so is just asking for trouble.

Hope this helps (my appologies for the rant)!

Jason

At 04:17 PM 9/7/00 -0700, Joe Delsol wrote:
>    
>  What are the reasons against opening all port access to the internet from
>my internal users?                     Srv 
>        Any     Any ideas?  Thanks!            Joe    

================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

References:
- [FW1] Reasons against opening I-net access..
  - From: Joe Delsol <[email protected]>

Prev by Date: [FW1] Current Version and upgrade path
Next by Date: [FW1] fw_copy: failed to open - (Solaris, 4.1/SP1)
Previous by thread: [FW1] Reasons against opening I-net access..
Next by thread: Re: [FW1] Reasons against opening I-net access..
Index(es):
- Date
- Thread