On Thu, 10 May 2001, Scott Overfield wrote:
> Good morning,
> Is there a reasonably secure way to allow netmeeting through a firewall?
Before you even get to "How would I pass it?", you need to stop and look
at "Should I pass it?" Dig though the protocols and make your own
evaluation, but you'll need a really lax security policy and no focus on
client-side protections to open a sucking chest wound like Netmeeting
unless the protocols have changed significantly in the last two years.
> How would you minimize the risks involved ?
1. Sacrificial lamb on the DMZ that gets reloaded from the ground up prior
to a meeting and shutdown after a meeting. Sit it in a conference room
and let the users book meetings that way.
2. Sacrificial lamb over dial-up that gets reloaded....
3. Remote display over a strongly authenticated/encrypted tunnel (with a
strong encryption boundary) to an isolated from the internal network
machine that gets reloaded....
4. Remote display over a stronly authenticated/encrypted tunnel (with a
strong encryption boundary) to a machine on the DMZ that gets reloaded...
5. Buy a video conference system.
6. Make access requirements so difficult that nobody ever wants to go
through the pain of using the stuff so it never gets opened up.
7. Have the users get their vendor to post a bond covering projected
losses should their product be a vector of compromise and have someone
fund montioring equipment to provide evidence if it happens.
[Yes, I know it never happens, but it's *really* fun to watch everyone's
faces when you propose it as a serious risk management tool- especially
the vendor's sales reptiles and the user group that's demanding it. The
sudden movement from "business critical" to "can't afford to insure that"
can be a joy to watch.]
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
