Re: Allow second Internet connection into Office Space?

[matthew <matthew () devney net>]

On Thu, 10 Oct 2002, michael wrote:

> > A group of my programmers want to have a DSL connection put in
> > their testing area so they can simulate end user experience across
> > the Internet.

The general tone of responses thus far have been negative, and I'd like
some clarification on that assumption.  What makes the respondents think
that a DSL line is less secure than the company T1?

In either case, I assume you'll have a firewall.  Both benefit from the
same network monitoring and IDS.  Both are interchangeable to a greater or
lesser degree, depending on your IP addressing.  So, why *not* have a DSL
line?  Hell, if you can talk your ISP into running BGP with you (and you
have portable IPs), why not use it as a redundant/load balanced
connection?

> First questions I would ask myself are:-
>
> 1) why a DSL line? Does your site have lots of graphics / pages that
> are bandwith intensive?
>
> 2) Do they need a high-speed connection? Would a modem conection be
> sufficient ?(as this would also stop them using it for other
> activities e.g Online Gaming)
Is there any reason to assume that a dialup is any more secure than cable
or DSL?  There are good anonymity side benefits to having a dynamic IP,
but most basic DSL is dynamic anyway, so that's a null benefit.  You may
attract fewer script kiddies, once they realize your link is too friggin
slow to be of any use... Provided they notice.

As for online gaming, putting a cheap video card in any machine attached
to it is a much better deterrent than a little extra latency.  Plenty of
people play counter-strike of quakeworld over dialup.

> 3) What does the testing area comprise of? What is the value of the
> data contained on these pc's to the company?
These questions should already be known, as they should be asked with
respect to physical security as well as the preexisting internet
connection.  (I'm assuming T1 or similar.)

> > I have concerns with this and am curious if anyone else has found a
> > good solution to provision their business requirement without
> > putting the network at risk.
Again, just for clarification, what concerns do you have?  With DSL in
particular, or with the idea of a second connection?

> I would be concerned if the developers were wanting to connect their
> development pcs to the internet as the risk to the company, and its
> assets, would be greatly increased.

Why greatly increased?  Why increased at all?  Again, I'm assuming that
you have some sort of a firewall at every point of entry.  For that
matter, the Actiontec DSL modems that Qwest ships, and probably the Cisco
678 that everyone else seems to ship, has a built-in packet filter.  Just
block all inbound non-EST packets.  That was state of the art security
until relatively recently.  If you have a little extra time on it, get a
$200 Duron box to be an actual firewall sitting between you and the DSL.

> We have recently set up and
> isolated network within our department which comprises of a two
> computers (a gateway with a modem, and a client pc) and a hub.
> These computers are not used for anything else but internet access
> therefore store no company data.
> The gateway contains the firewall and is set to "dial on demand", so
> either the gateway or the client can be used for access.
> This allows access for up to two people at any time whilst making
> sure there is no chance of the company network becoming infected or
> compromised.
> You could also do with making sure that nothing can be transferred
> from
> these computers to your network.
Isolating like this is definitely a good idea, but may nullify the
purpose.  If the idea is to test their dev software, depending on the
software's size, function, and frequency of these tests, manually copying
it over may be unfeasible.

> > I know I haven't gone in to enough detail for an EXACT solution but
> > in general if anyone has any "tips" I'd appreciate it. Thanks!
>
> This may not be suitable for your company, but it may help you make
> your decision.
>
> > Chris Hylen
> > Data Security
>
> Mike Woodhead
--matthew () devney net