Well, it's interesting. The point that I focused on was that the box was
also accessible from the Internet. That makes a big difference - it's not
just the Evil B Division sysadmins we're not trusting, it's the fact that
the box is essentially hanging its ass out on the Internet with "Hack Me"
painted on it.
If this application is truly business critical, then it should be logical to
resource it appropriately. In other words, if the project can't be run with
appropriate time, budget and and consideration for existing policies then
it's not actually "critical".
On to opinions and recommendations. I'll call the NT4 box with the
PCAnywhere "Evilbox" and the box in A's LAN it needs access to "Underbelly".
I'm assuming that Evilbox needs to be on the same IP network as Underbelly
for some reason - otherwise it would be a simple matter to just put Evilbox
somewhere outside the A firewall and allow access appropriately.
I would look at using a dual-NIC bridge-mode firewall to restrict Evilbox to
only allow access to the one host/port in A-LAN required for this project,
but give it access to anything _else_. You could then do access control
between the Internet and Evilbox at A-FW and access control for everything
else at the WAN router.
It still doesn't make sense, though - I see no reason why Evilbox needs an
A-LAN IP address. *shrug*
--
Ben Nagy
Network Security Specialist
Marconi Services Australia Pty Ltd
Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
> -----Original Message-----
> From: Ron DuFresne [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, April 12, 2001 12:28 PM
> To: Brian Steele
> Cc: Firewalls Mailing List
> Subject: Re: Your opinions please..
>
>
>
> It's a matter of how much you -=personally=- trust lan B, and
> how much you
> are allowed to mistrust lan B by your employer.[...]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
