Security Basics mailing list archives

RE: One computer two different networks

From: "Ray Sawyer" <rays () oscamtechnical com>
Date: Wed, 11 Oct 2006 17:52:48 -0400

It would seem that the reason for having a secure network is of course
to guarantee it's secure. Allowing any direct access to the internet
from internal systems, even through a proxy or application layer
firewall (seems most have forgotten Microsoft's ISA server), would be an
unacceptable risk.

That being say we all know that politics usually wins over security. In
my opinion the best compromise would be a sort of hybrid solution,
utilizing a terminal server or Citrix box in a DMZ (such as already
suggested in a previous email) and the use of some sort of proxy or
application firewall (WebSweeper, ISA, Surf Control , etc, etc). This
should provide a reasonable amount a segregation to insure the integrity
of the secure network, while providing access and content control in
both directions while quarantining any malicious content in the DMZ.

 

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Andrew Hay
Sent: Tuesday, October 10, 2006 7:00 PM
To: Santiago Barahona
Cc: security-basics () securityfocus com
Subject: Re: One computer two different networks

If you have the budget to purchase 250 additional computers (250 * $400
= $100,000) then I would seriously consider  investing that money in a
firewall with some sort of application layer filtering instead (like
CheckPoint/Cisco/Juniper with Websense/Aladdin/SurfControl).
Not only will you be able to protect your end users from malicious
Internet traffic but you'll be able to track policy violations (like
inappropriate site visits during company time).  You can also enable a
per-session authentication method which would help you control/protect
your users and corporate environment.

If you want some more suggestions please let me know.
--
Andrew Hay [NSA/CCSE Plus/CCNA/Security+/RHCE/GCIA/SSP-MPA/SSP-CNSA]
blog: https://www.andrewhay.ca
email: andrewsmhay || at || gmail.com

On 10/10/06, Santiago Barahona <sant-bar () dsv su se> wrote:

Hi all,

(First of all I want to apologise if I am misplacing this question, if

so I'd appreciate if anyone could point me to the right direction)

So here is the situation:

We have about 250 computers that are isolated in a high-security 
network, we want to give internet access to those computer users 
without compromising the secured network...of course our first thought

is to buy 250 computers so the users can switch between computers (one

for the secure network, one for internet)... but that might not be 
most practical solution...

So, I've been looking around and I've found a product called DATAGATE,

from Tenix which works as a "Data Diode"... looks interesting... but 
I'd like to have a second opinion...

Does anyone know about other products or techniques on how to 
accomplish this??

thanks!


----------------------------------------------------------------------
----- This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has

designated Norwich University a center of Academic Excellence in 
Information Security. Our program offers unparalleled Infosec 
management education and the case study affords you unmatched

consulting experience.

Using interactive e-Learning technology, you can earn this esteemed 
degree, without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------
-----

------------------------------------------------------------------------
---
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has
designated Norwich University a center of Academic Excellence in
Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting
experience.
Using interactive e-Learning technology, you can earn this esteemed
degree, without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
---

**********************************************************************
Oscam Technical monitors, controls and protects all its messaging traffic in compliance with its corporate email policy
using Clearswift products. Find out more about Oscam Technical and its anti-virus and content filtering solutions at
www.oscamtechnical.com
**********************************************************************
This communication and any files transmitted with it are confidential and may contain privileged information intended
solely for named addressee(s). It may not be used or disclosed except for the purpose for which it has been sent. If
you are not the intended recipient, you must not copy, distribute, or take any action in reliance on it. Unless
expressly stated, opinions in this message are those of the individual sender and not of Oscam Technical. If you have
received this communication in error, please notify Oscam Technical by emailing oscamadmin () oscamtechnical com
quoting the sender and delete the message and any attached documents and files. Oscam Technical accepts no liability or
responsibility for an onward transmission or use of emails and attachments having left the Oscam Technical domain.

This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.

www.oscamtechnical.com
**********************************************************************

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------

Current thread:

Re: One computer two different networks, (continued)
- Re: One computer two different networks Ansgar -59cobalt- Wiechers (Oct 10)
- RE: One computer two different networks Jamie Wareham (Oct 10)
  - RE: One computer two different networks Andrew Aris (Oct 11)
- RE: One computer two different networks Marc (Oct 10)
- RE: One computer two different networks Dan Tesch (Oct 10)
- Re: One computer two different networks sami seclist (Oct 10)
- RE: One computer two different networks David Gillett (Oct 10)
- Re: One computer two different networks Raoul Armfield (Oct 10)
- Re: One computer two different networks Santiago Barahona (Oct 11)
- Re: One computer two different networks Andrew Hay (Oct 11)
  - RE: One computer two different networks Ray Sawyer (Oct 11)
- RE: One computer two different networks Corey Watts-Jones (Oct 11)
- Re: One computer two different networks Ed (Oct 11)
  - RE: One computer two different networks Adnan Rafik (Oct 13)
- RE: One computer two different networks Beauford, Jason (Oct 10)
- Re: One computer two different networks chris (Oct 10)
- Re: One computer two different networks dtodosichuk (Oct 10)
- RE: One computer two different networks Chris Poulter (Oct 11)
- RE: One computer two different networks Hagen, Eric (Oct 11)
  - RE: One computer two different networks mn19522 (Oct 11)
  - RE: One computer two different networks evb (Oct 11)

(Thread continues...)