Security Basics mailing list archives

Re: pcAnywhere...Outbound Only.

From: "Nuzman" <nuzman () shreve net>
Date: Tue, 28 Jan 2003 14:38:37 -0600

Working within reasonable limitations is always our challenge for security.
I was taught practically that at least as far as the Internet connection
goes, trust your internal users and don't trust the outside world. You can
apply a security policy to this limiting services without restricting by
user or IP and still be trusting of the inside world. Note, this does not
mean you trust everyone inside with regard to specific internal or DMZ
systems... only the perimeter.

I think it's quite reasonable to allow all users pcAnywhere access to a
specific address. I assume the same service to all other addresses is denied
and only a very few people will ever know that specific address which is
allowed.

We do something similar in allowing Citrix access outbound to an outsourced
HR server farm. We're not set up yet to be able to grant permissions through
the firewall based on the network logon. Until we can do that, it is a
reasonable risk to allow everyone access to that server farm since 99.8
percent of the company have no idea they could or the address to access. We
do restrict Citrix access out to all other addresses.

Cheers!

Nuzman

----- Original Message -----
From: "tony toni" <tony572001 () hotmail com>
To: <security-basics () securityfocus com>
Sent: Monday, January 27, 2003 8:44 PM
Subject: pcAnywhere...Outbound Only.

Hi,

We have a rule on our firewall that allows all employees to use pcAnywhere
to connect to a host OUTSIDE  of our network.  It is in one

direction...that

is from inside our network to an outside host and not vise versa.  Our
firewall administrator, came to me and asks me if I had any security

issues

with this.  He does not want the hassle of maintaining a list of employees
that can do this.

I do not see any glaring problems doing this....what do you think?


Tony Graves
Security Services
Walton International Transportation Corp.
Seattle, Wa.




_________________________________________________________________
The new MSN 8: advanced junk mail protection and 2 months FREE*
http://join.msn.com/?page=features/junkmail

Current thread:

pcAnywhere...Outbound Only. tony toni (Jan 28)
- Re: pcAnywhere...Outbound Only. Nuzman (Jan 29)
- Re: pcAnywhere...Outbound Only. ATD (Jan 30)
  - Re: pcAnywhere...Outbound Only. Glen Mehn (Jan 29)
- <Possible follow-ups>
- RE: pcAnywhere...Outbound Only. Peter Snell (Jan 29)
- Re: pcAnywhere...Outbound Only. Chris Berry (Jan 29)
  - RE: pcAnywhere...Outbound Only. David Gillett (Jan 31)
- RE: pcAnywhere...Outbound Only. herakel (Jan 29)
- RE: pcAnywhere...Outbound Only. Stephen A. Santos (Jan 29)