At 12:27 28/12/99 +0100, Paul Koch wrote:
>He would put me IN FRONT of the firewall so that I have to maintain my own
>security on my system.
That's a *really* bad idea.
i) Your box is outside of the corporate firewall protection - and traffic
to it is not logged at the firewall.
This means more chance that your box will get compromised, and less chance
of spotting it in the logs if it is.
ii) if your box gets compromised, it's located at the best place to sniff
traffic going in/out of the corporate site - script-kiddie tools will
vacuum up all sorts of nice stuff like any FTP/telnet passwords going by.
(OK sniffing is not so easy if you're using an ethernet switch on the
subnet outside the firewall, but even so)
It seems to me that this whole issue is driven by a failure to take a
sensible 'business issues' approach.
If you can document why you need the stuff, then that *ought* to be enough
to then trigger a project for your sysop to cost up doing a 'properly
secured' real-video set-up. It may turn out that the costs of doing it
properly outweigh the business benefits - so it's a project that won't happen.
That would be the *right* thing to do - whereas trying out 'cheaper
options' that have substantial security impact without going though a
risks/costs project is *not* the right thing.
Deri
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
