Ok, I thought you were teaching how to set up a DMZ for something like an
e-commerce site. And judging by the number of breakins at a lot of sites, I
suspect a lot of e-commerce sites think of a firewall as a magical box that
will filter out all the bad stuff even if you turn it into swiss cheese.
-----Original Message-----
From: Noonan, Wesley [mailto:[EMAIL PROTECTED]]
Sent: Thursday, January 18, 2001 1:50 PM
To: 'Ng, Kenneth (US)'; 'Rich Pitcock'
Cc: '[EMAIL PROTECTED]' '
Subject: RE: Permiting X through a PIX
-----Original Message-----
From: Ng, Kenneth (US) [mailto:[EMAIL PROTECTED]]
Sent: Thursday, January 18, 2001 12:27
To: 'Noonan, Wesley'; 'Rich Pitcock'
Cc: '[EMAIL PROTECTED]' '
Subject: RE: Permiting X through a PIX
You are trying to set up a teaching environment?
Take it easy here guy. First, we are not teaching the PIX. Our students
don't see it and know nothing about it. Most of them can't spell PIX.
Second, this isn't a security class I am talking about here. It's a Unix
programming class. They aren't paying us to teach them security, they are
paying us to teach them how to program. They are paying us to provide telnet
and X connectivity so that they can program. Nothing more, nothing less.
Then you BETTER show how
to do things securely. Imagine someone takes your class, sets things up in
his firm, the firm gets hacked, and the firm wants someone to blame. Can
you say liability lawsuit? Lets say its a public firm and the stock holders
get pissed off. Can you say class action lawsuit? And on top of both of
them, your competitors will be replaying the news over and over to generate
maximum bad publicity for you. Sure, you will probably win, eventually,
because you have a disclaimer somewhere. But tell me, which would your firm
rather spend the money on, new and improved products and/or services, or
fending off lawsuits? This can go on for YEARS. Think of how many times
CheckPoint has had to fend off alleged back door code put in by Israel.
Like I said, take it easy. You are jumping to some huge conclusions here
that aren't warranted. A few points.
(1) We don't have SSH on the Solaris boxes, so we can't do anything right
now anyway.
(2) I agree that SSH is probably a better way to do it, and is something we
will most likely do, but that requires change control on the classroom
environments and is NOT something a professional training organization does.
Especially not in the middle of class.
(3) This is why, as a trainer, one is a FOOL for providing advice on "how to
do it". As a trainer, your responsibility is to teach the concepts. It is
not your responsibility to say "do it this way". If you do, you open
yourself up to liability - even if you are correct.
(4) I have a class running tonight. I need a solution today.
(5) They worked with X windows fine without the PIX. Implementing the PIX,
then saying use SSH doesn't carry much merit. They auto response is "why? We
have been using X windows for 4 years with out any problems. Why change just
for the PIX". And to this, there is no good answer. There isn't a security
risk we are worried about, or need to address.
I'm not a Cisco expert, but I don't think the establish options will do any
good because when the X sessions start up, these are new sessions with
different port numbers.
That is what I was understanding as well, based on my limited grasp of the
established command. I am pretty sure I need to open conduits for 6000-6063
and that should get us working.
-----Original Message-----
From: Noonan, Wesley [mailto:[EMAIL PROTECTED]]
Sent: Thursday, January 18, 2001 1:10 PM
To: 'Rich Pitcock'
Cc: '[EMAIL PROTECTED]' '
Subject: RE: Permiting X through a PIX
Unfortunately, I am being told that Solaris does not ship with SSH and it
would take making some changes to the classrooms that they aren't prepared
to make right now. I think this is something that we will probably pursue as
a long term solution though, based on what I am hearing in this thread and
from the trainers involved. In the short term though, I need to get access
working. Would those conduits do the trick? Am I correct in thinking that it
isn't working because the server needs to send data back on different ports
to the clients and those ports are closed? Would it be better to use the
established command?
One thing to keep in mind right now is that security isn't the high priority
here. We aren't sending any data across the internet.
We are currently running 5.1(2). Let me see what I can dig up on 5.1(3).
Thanks again.
Wes Noonan, MCSE/MCT/CCNA/NNCSS
Senior QA Rep.
BMC Software, Inc.
(713) 918-2412
[EMAIL PROTECTED]
http://www.bmc.com
*****************************************************************************
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized.
If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter.
*****************************************************************************
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
