On Fri, 7 Jan 2000, Deri Jones wrote:
> At 12:27 28/12/99 +0100, Paul Koch wrote:
> >He would put me IN FRONT of the firewall so that I have to maintain my own
> >security on my system.
>
> That's a *really* bad idea.
>
> i) Your box is outside of the corporate firewall protection - and traffic
> to it is not logged at the firewall.
>
> This means more chance that your box will get compromised, and less chance
> of spotting it in the logs if it is.
>
> ii) if your box gets compromised, it's located at the best place to sniff
> traffic going in/out of the corporate site - script-kiddie tools will
> vacuum up all sorts of nice stuff like any FTP/telnet passwords going by.
> (OK sniffing is not so easy if you're using an ethernet switch on the
> subnet outside the firewall, but even so)
>
> It seems to me that this whole issue is driven by a failure to take a
> sensible 'business issues' approach.
>
> If you can document why you need the stuff, then that *ought* to be enough
> to then trigger a project for your sysop to cost up doing a 'properly
> secured' real-video set-up. It may turn out that the costs of doing it
> properly outweigh the business benefits - so it's a project that won't happen.
>
> That would be the *right* thing to do - whereas trying out 'cheaper
> options' that have substantial security impact without going though a
> risks/costs project is *not* the right thing.
>
While I understand this opinion, I also think that if the box is properly
secured, and there can be other boxes infront of this box setup to help
secure it, then, the risk might well be the same or perhaps even safer
then passing the traffic through the firewall and onto the internal
network...
Thanks,
Ron DuFresne
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
