Brian,
Absolutely not. If A and B are independent, then there is no such thing as a
"critical business requirement" between the two that justifies one inserting a
software component on the other, and certainly not an application that could
expose the other. If I were in company A, I would tell company B to go pound
salt. If B has such a "critical" item, then let them host it on their network.
The only exception would be if the premise is false; that is, there is a
dependency dictated by the "Company."
There is another reason to be cautious. Suppose that B is running out of
horsepower and cannot get relief on their budget to get more. So their
"critical business need" is to find more horsepower. Aha. Let's put our
application on "A" and suck down their system. And since we do not have budget
to truly architect a client server, let's just slap on a remote console so we
can do anything we want to (maybe we could sneak another application in, or
sneak a peek at what A is doing).
Remember, security breaches are not merely defined as who whacked my network.
Most business information loss is because of mere observation which cannot
easily be detected. I would suggest that you are opening A up to something
beyond what A has authorized as its business process. You would be hard pressed
to convince me that whether this is just a critical app or (as you intimate)
they are invoking a full NT server, they cannot do it on their side.
Keep the children apart without very (and I stress very) good reason to do
otherwise.
By the way, if this model is justified, I would like to see it and maybe partner
up with you to see if we could sell the solution to a bank here or there! ;)
But then, I am known as a hard-*** when it comes to security.
John Braden
Brian Steele wrote:
> Not really a firewall issue - more of a security issue, but as there are a
> few security experts on the list..:-)
>
> Situation: Company consisting of two independently operating business units,
> let's say A and B. The operations of each unit is governed by its own
> internal security procedures, A's being more stringent than B's. The two
> business units are connected via a WAN.
>
> B want to install a software package in A's LAN to meet a "critical business
> requirement". However:
>
> 1. pcAnywhere has to be installed on the server running the
> package to allow staff from B to remote control the
> server (a Windows NT4 box, btw) when it's installed on
> A's LAN.
>
> 2. The software on the server will be interfacing with a critical
> system on A's LAN. And also with Internet users (via a
> firewall - port 80 only).
>
> 3. The software requires that the Administrator account be
> left logged on on the server's console.
>
> 4. The password for remote access via pcAnywhere (and
> thus the Administrator password) will be known to several
> persons in B.
>
> Now, if you were the sysadmin for A's LAN, would you consider this
> arrangement secure enough for internal business use? If not, are there any
> steps that you'd take to minimize the risk to your LAN? Or would you be
> raising the strongest protests to ensure such a system is not deployed on
> your LAN because of the security threat that it poses?
>
> Regards,
> Brian
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
