20,000 people is a lot of people to trust. I would harden the servers and
firewall business units from each other. If you're concerned about those
firewalls being a bottleneck, it just so happens that my company makes a
product which can help with that :-)
HTH
Jack Coates, Rainfinity SE
t: 650-962-5301 m: 650-280-4376
On Fri, 30 Jun 2000, Ivan Fox wrote:
>
> There was an internal and informal "debate" between IT Ops Team and
> Developers that internal servers should be "hardened"!
>
> IT states that majority of hackers come from employees that even internal
> servers should be hardened. The developers states that employees are
> trustworthy, if not, fire them.
>
> This organization has 20,000 employees in 30 locations all over the world
> and connected!
>
> What would be your take on this debate?
>
> Ivan
>
>
> ----- Original Message -----
> From: <[EMAIL PROTECTED]>
> To: "Ivan Fox" <[EMAIL PROTECTED]>
> Cc: "Firewall-1" <[EMAIL PROTECTED]>
> Sent: Friday, June 30, 2000 1:23 PM
> Subject: Re: [FW1] groups
>
>
> >
> >
> >
> > Unless you're afraid of your own users hacking this FTP server in the DMZ,
> > shouldn't you implement this security setup on the FTP server rather than
> the
> > firewall? I assume you are performing some sort of authentication on the
> FTP
> > server. I suppose if you are using "anonymous," this isn't an option, but
> keep
> > in mind that the firewall is usually, but NOT always, the best place to
> > implement security.
> >
> > Just my 2cents
> >
> > Dan Hitchcock
> > Network Engineer
> >
> >
> >
> >
> >
> > "Ivan Fox" <[EMAIL PROTECTED]> on 06/30/2000 06:29:13 AM
> >
> > To: "Firewall-1" <[EMAIL PROTECTED]>
> > cc: (bcc: Dan Hitchcock/CSB)
> >
> > Subject: [FW1] groups
> >
> >
> >
> >
> >
> > Let's say, I have 1000 internal users, only 500 of them need to pass
> through
> > a firewall to access a ftp server in the DMZ. These 1000 users using one
> > big subnet. Meaning that I cannot limit the access by "network". I don't
> > want to create 500 users account on the firewall to avoid
> > administration/performance overhead.
> >
> > Is there an easy way to handle this scenario?
> >
> > Any pointers are much appreciated.
> >
> > Regards,
> >
> > Ivan
> >
> >
> >
> >
> ============================================================================
> ====
> > To unsubscribe from this mailing list, please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> >
> ============================================================================
> ====
> >
> >
> >
> >
> >
> >
> >
> ============================================================================
> ====
> > To unsubscribe from this mailing list, please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> >
> ============================================================================
> ====
> >
>
>
> ================================================================================
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ================================================================================
>
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
