Firewall Wizards mailing list archives

Re: shiva lanrover

From: Patrick Darden <darden () armc org>
Date: Thu, 14 Sep 2000 15:25:15 -0400 (EDT)


Outside your firewall meaning on the internet?  Accessible by anyone?  
Not recommended.  Rack up a heck of a long distance bill if you get
hacked, have no secure access to it from your network (as in dial out,
management, logging and auditing, etc.).  Kind of a strange idea,
actually.  Random DOS attacks would lock it up two or three times a day.

Located inside your DMZ it gets a lot of protection, but it is still not a
trusted host so it only gets certain restricted access.  Very
controllable, very manageable, if done correctly.

Inside your network means it is fully trusted, so a kid with a wardialer
could conceivably hack into it--and from there have free access to the
soft rich underbelly of your network.  Better than hanging it
outside your firewall but, again, not recommended.


By their nature, RAS units are doubly susceptible to attack--as they are
doubly accessible.  I suggest you protect your unit as strongly as
possible without limiting its functionality.

--
--Patrick Darden                Internetworking Manager             
--                              706.354.3312    darden () armc org
--                              Athens Regional Medical Center

On Thu, 14 Sep 2000, hermit1 wrote:

Why not just put it outside the firewall and treat it as any other ISP 
connection?  If I put it on a DMZ, either I need to dedicate a port to it 
or it gets access to other machines on that port without me knowing about it.

These boxes can be reached via their ethernet connection and reconfigured, 
but if there are no restrictions (except proper user ID), what good would 
it do for a cracker to reconfigure it?  I suppose it could be reset to dial 
out and used to obscure the true origin of some connection elsewhere.  I 
don't see any risk in putting it outside the firewall under the no 
restriction rules, though.

hermit1

At 10:46 AM 9/14/00 -0400, Patrick Darden wrote:

Howdy!

We have two of the big ones (dual PRIs with digital modems), and are very
happy with them.  Granted, it took a long time to get them to the point
where they were functional and reliable, but that is more a matter of who
we purchased them from (we spent beaucoup bucks so they would install and
configure and integrate them properly.)

We especially like the dial out ISDN capability this gives everyone on our
network (anyone with the proper privs).

I recommend you put them in your DMZ, because even though there are no
security issues peculiar to them they are an ingress/egress avenue and
should be strictly controlled.


--
--
--Patrick Darden                Internetworking Manager
--                              706.354.3312    darden () armc org
--                              Athens Regional Medical Center


On Wed, 13 Sep 2000, hermit1 wrote:

Someone at my company wants to intall a Shiva LanRover box (8 ports, no
waiting) for dial-up access either behind the firewall or on a DMZ.  I
think this is a 'fine idea', but I want to put it outside the
firewall.  For some reason they don't want to go the ISP route.

I searched various places and found only one description of a security
problem - by default there is a root account on the box without a
password.  Does anyone know of any other problems with this gadget?

Thanks,
hermit1



_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards

Current thread:

RE: shiva lanrover Sigler, Karl (Sep 16)
- <Possible follow-ups>
- RE: shiva lanrover Ewing, Timothy K. (Sep 16)
- Re: shiva lanrover Patrick Darden (Sep 16)
  - Re: shiva lanrover hermit1 (Sep 16)
    - Re: shiva lanrover Patrick Darden (Sep 16)
    - Message not available
    - Re: shiva lanrover miko (Sep 18)