RE: Allow second Internet connection into Office Space?

["Rapaille Max" <Max.Rapaille () nbb be>]

OK.  It's clear like that.

Indeed, if this is only for some kind of Cosmetic test, just install them an old machine, a browser, a phone line and 
some free internet access...  THis should reduce cost...
But anyway, This machine should be secured well, patched abd anti-virus up2date installed..  The net is so Wild today 
;-)
Concernning VNC...  I'm not sure I would leave a machine on the net, with a VNC server waiting.  Or at least I would 
secure it, Using SSH (IIRC this topic has been discussed more in depht on the list, a few weeks ago) and some very 
STRON password.

Regards,

Max

-----Original Message-----
From: Chris Santerre [mailto:csanterre () MerchantsOverseas com] 
Sent: jeudi 17 octobre 2002 20:16
To: Rapaille Max; Chris Santerre; Louis Erickson; Chris Hylen
Cc: security-basics () securityfocus com
Subject: RE: Allow second Internet connection into Office Space?


What I meant was that sometimes your not testing speed, but how things look and accessibility to the outside. So you 
need a machine outside your own network to come in from outside. So any machine outside your net would work. Why not 
use a home computer. Good as any. Use VNC to take it over, then have the home machine access your company system from 
outside. (This would not be used for speed testing.)

This way you could see if outsiders are getting the correct access privileges, java / perl / cgi codes, ect.....

Basically a poor mans outside setup. Hell you could just stick a box on a dialup account in the corner. Just don't 
connect to your network. (I have an old laptop for this as well as programming voicemail and router.)

-----Original Message-----
From: Rapaille Max [mailto:Max.Rapaille () nbb be]
Sent: Thursday, October 17, 2002 3:24 AM
To: Chris Santerre; Louis Erickson; Chris Hylen
Cc: security-basics () securityfocus com
Subject: RE: Allow second Internet connection into Office Space?


I'm not sure I fully understand your VNC proposal...

But anyway, using an other line to test the application is a good idea to test in a real live case.

-----Original Message-----
From: Chris Santerre [mailto:csanterre () MerchantsOverseas com] 
Sent: mardi 15 octobre 2002 21:00
To: 'Louis Erickson'; Rapaille Max; Chris Hylen
Cc: security-basics () securityfocus com
Subject: RE: Allow second Internet connection into Office Space?


I'm not sure exactly what "user experience" you are trying to test. To me, saying they want a DSL means they are not 
interested in speed testing. Otherwise they would test dialup, as most users still have this. One way to quite down the 
request is to see if the programmers have DSL or cable at home, have them use VNC or PCanywhere and test from their own 
home machine
;)  

There is a benefit to such a setup. Currently I have Partial T1, DSL, and cable here. All different providers, and only 
one of these hooked directly to our internal net. It does help to check from outside the company how users are seeing 
the data. 

It is also pretty funny to do a traceroute on 2 machines sitting side by side, and it takes 17+ hops :)


-----Original Message-----
From: Louis Erickson [mailto:LErickson () ariba com]
Sent: Monday, October 14, 2002 2:03 PM
To: 'Rapaille Max'; Chris Hylen
Cc: security-basics () securityfocus com
Subject: RE: Allow second Internet connection into Office Space?



One thing which no one has mentioned yet is a variant of this.

Instead of making a connection to the LAN, get the developers removable media.  2G ORB drives are reasonably affordable 
and let you move a big chunk of data back and forth.  They can use their development machines to set up what they want 
to test on the removable disk, then stick it in the other machine for testing.

Make sure all machines involved have good virus protection.  Perhaps different versions for the internal LAN and the 
Internet visible one.

Lou Erickson
IT Tools Developer,
Ariba, Inc.

> -----Original Message-----
> From: Rapaille Max [mailto:Max.Rapaille () nbb be]
> Sent: Thursday, October 10, 2002 11:32 PM
> To: Chris Hylen; security-basics () securityfocus com
> Subject: RE: Allow second Internet connection into Office Space?
>
>
> Hi,
>
> You could create a little separate LAN for them  :
>
> DSL Router --- Firewall (Linux based, on a recup PC) --- TEST LAN
>
> If the goal is to test the end-user experience, they will probably ask 
> for different OS..  So Why not think about making a little private LAN 
> with Linux, Windows,(Dual Boot/VMWare??).  Just imagine..  I had this 
> kind of requirement for a Web developping Company, and this is what
> we did.  We knew that the developpers were  not specially 
> Security-Minded, and the Boss was paranoid...
>
> At a first stage, there was NO connection at all with the production 
> LAN, which is the safest solution ..  But as they needed to exchange 
> some file , we connected both LAN via a Firewall, allowing ONLY FTP 
> traffic from Production LAN to Test LAN, using a FTP proxy and a Virus 
> Checking (Trend Micro Viruswall..)=
> So DEV team can work as usual on the Prod LAN,.  want they to 
> test their finding?  Just moving to an other keyboard... 
> without jeopardysing the prod LAN Security... 
>
> Hope this help..
> Should you need more details about the config, just drop me a mail Off 
> list @ info () emmera be
>
> Regards,
>
>
> MAx
>
> -----Original Message-----
> From: Chris Hylen [mailto:chris.hylen () unigard com]
> Sent: mercredi 9 octobre 2002 17:32
> To: security-basics () securityfocus com
> Cc: CISSP_PNW () yahoogroups com
> Subject: Allow second Internet connection into Office Space?
>
>
> Security Pro's:
>
>       A group of my programmers want to have a DSL connection
> put in their testing area so they can simulate end user
> experience across the Internet. I have concerns with this and 
> am curious if anyone else has found a good solution to 
> provision their business requirement without putting the 
> network at risk.
>
>       I know I haven't gone in to enough detail for an EXACT solution but 
> in general if anyone has any "tips" I'd appreciate it. Thanks!
>
> Chris Hylen
> Data Security