NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Reasons against opening I-net access..



Let me add another perspective to this.  I am in the situation you are
comtemplating, all my users have unrestricted access to the Internet thru
the firewall.  I have spent the last 6 or 8 months trying to get my hands on
what they need to have open in order to do their jobs and what is just
fluff.  It is, at the very least, a daunting task.  I have a relatively
small organization (about 250 people) and getting the time to sift thru all
their traffic (about 100,000 log entries a day) is tough and I have the
added luxury of having all my logs in an Oracle database which provides me
with a large amount of analysis capabilities.  

Asking my users to identify what they need is a no-go since all they know is
that they click on an icon or a link and it works.  They don't even know
when they are switching from http to ftp to telnet to smtp.  The point here
is that you already have it tied down, if you open it up, you will probably
never get it back under control.  

What I would suggest, is to open it up for select users.  Make the users
justify to management (not to you) why they need this and what it is for.
That will quickly  out the game downloaders from the real workers.

Jim Edwards
Systems Manager
Texas Secretary of State


-----Original Message-----
From: Jason Witty [mailto:[email protected]]
Sent: Thursday, September 07, 2000 7:16 PM
To: Joe Delsol; FW-1 List (E-mail)
Subject: Re: [FW1] Reasons against opening I-net access..



Joe,

I could ramble on about the dangers of this for hours, but here's a few of
the heavy hitting reasons not to do so:

1) The misuse possibilities are endless - internal users could bridge your
network by using outbound VPN connections (PPTP, GRE tunnels, SOCKS, for
example), things like Napster, Quake, AOL, AOL Instant Messager, IRC,
Pointcast, and a host of other non-business related utilities would all
work.  This could massively degrade your bandwidth utilization, not to
mention promote loss of productivity costs.

2) Nothing would prevent users from using non-encrypted protocols to send
your confidential information over the Internet - telnet (including tn5250,
tn3270), FTP, SMTP, etc.

3) If you don't have spoof protection installed perfectly, an attacker can
easily craft packets such that state table connections get made that look
like they came from the inside network.  Then, the attacker can exploit
things like the recently discovered FTP-PORT, FTP-PASV, Simplex TCP
Connections, and RSH stderr handling exploits to ride the open channel back
into your network (see http://www.dataprotect.com/bh2000/blackhat-fw1.txt
for more info on this.)

4) Nothing would prevent the next trojan horse or even internet worm from
propagating out of your network.  How would management feel if the next
worm virus simply posted all your IP, username, password, and *.doc files
to a public IRC chat room?   

5) Same thing in #4 applies to hostile JAVA and ActiveX code.  Heard of
BrownOrifice?  See
http://securityportal.com/list-archive/bugtraq/2000/Aug/0146.html ,
entitled "Brown Orifice Can Break Firewalls!"

6) Stepping down from the soapbox, there's a lot of other reasons not to do
that.  Doing so is just asking for trouble.

Hope this helps (my appologies for the rant)!

Jason


At 04:17 PM 9/7/00 -0700, Joe Delsol wrote:
>    
>  What are the reasons against opening all port access to the internet from
>my internal users?                     Srv 
>        Any     Any ideas?  Thanks!            Joe    


============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents � 2003 Network Presence, LLC. All rights reserved.