Re: Facts, not Fiction

[Chris Brenton <cbrenton () sover net>]

chuck yerkes wrote:

> > Case 1: A pure Mac shop with an ISDN connection to the Internet.
> > There are no internal IP services. Users connect through the
> > ISDN connection in order to access POP mail from an ISP and
> > browse the web.
>
> Except when someone puts telnet and accidently serves ftp with
> no passwords - allowing access to any machine on the mac network
> (that was a neat bug).
> Except when someone puts up a web server/ftp server.
> Except when someone starts using appleshare IP.

True, but a bit off thread. The point was that the security requirements of this
shop differ from the second situation cited (i.e. a bank providing Internet
services). One would hope that in the above situation NAT and access lists would
be used as a minimum. I doubt they have a need for multiple firewalls however.


> > Case 2: A national bank running the latest UNISYS system with
> > integrated NT server. System access is via IP. The bank has a T1
> > connection to the Internet and wishes to allow customers to
> > administrate their bank accounts via the Internet.
>
> I won't comment on NT's ability to serve hugh volumes and reliability
> in a critical system - but yes, I'd expect the protection and the
> software to be much different.  I'd be authenticating much harder
> and proxy the server with minimalist carefully audited software.

Exactly my point. I've dealt with one UNISYS Engineer that is responsible for
doing installs on the above described platform. From his perspective "NT is C2
certified" and "has no known security holes". Scary stuff...

> But when mom has a cable modem and her bank data is accessible to
> others due to simple, easy-to-do misconfiguration, that's a problem.

I've actually seen this. I have a friend with a cable modem who was showing me
how he could browse shares on other people's systems. He's taken to storing large
downloads that he's not sure if he wants to keep or not on other people's
systems. Of course there is not a whole lot you can do on the firewall end with
this one.


> Firewalls give one point to focus security.  The difference is that
> cheap places rarely secure the client machines.  By giving them a
> solid firewall that mistake won't cost them their business.


Please refer to the tag message below. ;)
Agreed, however I still see the use in performing a risk analysis to see just how
much protection and what kind of outbound access is required.

Cheers,

Chris

**************************************
cbrenton () sover net
http://www.amazon.com/exec/obidos/ISBN=0782120822/0740-8883012-887529

Nothing is fool-proof to a sufficiently talented fool.