When I said Gauntlet was inflexible, I had no idea how much was to be
said on the issue. Lots of it has been interesting, and I'm obviously
mistaken in many things (the rest, I don't see the point in arguing
about). Nonetheless, I still feel that constructive advice is missing.
At the end of the day, what's the original poster to do? Tell the
department that wants to access DCOM to get lost? Or chuck the
firewall? Or both?
I guess my frustration is that while all the information you've all
passed on is great, a solution (or at least a course of action) isn't
any closer. Someone hit the nail on the head when they said that
hackers help each other out more.
The original question was about *outgoing* DCOM connections, a fact that
seems to have been missed in all the subsequent postings (except for one
recent one). Even if there's no difference between incoming and
outgoing, I think it would have been helpful to say why this is so
instead of simply saying that all DCOM is bad. A discussion of DCOM --
even just telling people what it is and the reasons it's inherrently
insecure -- would have been helpful. And even if outgoing DCOM is as
bad as incoming, isn't there some advice that can be given that would
help the situation? For example (feel free to correct me if I'm wrong):
If Server A is your server and Server B is the server that you want to
access, you can put Server A outside of the network protected by
Gauntlet. Server A can be accessed using one of the protocols supported
by the firewall. For example, if Server A is a Cold Fusion server, you
can use http or ftp to move new templates to Server A. This may satisfy
both your security requirements and the requirements of the department
that wants to use DCOM. To take security measures a step further,
you'll need to address the security of the Server A, the security of
Server B, and the quality of data that resides on both servers, and the
trustability of the vendor. Depending on the nature of the work this
department is doing, this may or may not be important. For example, if
they're doing this just for testing, then it's probably not a big issue;
if they're storing customer data on either server, then you may have
more work to do.
By the way, a lot of the discussion that has taken place has centered
around firewalls and routers. I think many who claim to be security
experts are really experts only in these things (if that). If your
firewall and routers are rock solid, but someone can find out your
company secrets by digging through your trashcans and recycling, then
does it really matter? But I'm not saying lay down in front of the
locomotive. Although your security is only going to be as strong as
your weakest link, that doesn't mean that you aren't better off than
someone who has all equally weak links. You may be just as easy to
breach, but you also have fewer links to strengthen before you reach the
next level of security.
Jen
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
