Firewall Wizards mailing list archives
Too Paranoid?
From: jseymour () LinxNet com (Jim Seymour)
Date: Sun, 29 Sep 2002 09:34:22 -0400 (EDT)
Hi, I have a particular situation at work, and I wonder if I'm being *too* paranoid. I'll only be able to discuss the situation in somewhat vague terms because of a non-disclosure agreement. A vendor wants to install a system on our LAN that uses a MS-Win2k server. This server is completely a turn-key system. We don't touch it. Proprietary server software runs on this server and proprietary software to talk to the server runs on one-or-more MS-Win desktops. They use ActiveX controls. The server, in turn, must communicate through my firewall, using HTTPS, to multiple servers on the Internet which are, in turn under the control of yet *other* entities. Now all this makes me nervous enough in the first place. We have no experience with MS-Win2k. (We use Unix/Linux in server roles and various flavours of MS-Win on the desktops.) We distrust ActiveX and, in fact, do not allow it through our firewalls at all. Plus, given some of the answers I've gotten from the people responsible for this thing in discussing what I get into below, I don't have a whole lot of confidence that they have even the *mildest* clues regarding systems security, much-less writing secure code. Here's the problem. Certain third-party modules the server software uses to communicate to other servers on the 'net don't seem to be able to deal with the proxy server on the firewall. They're given the IP address and port number, but they won't work that way. The vendor of this lash-up wanted me to punch a hole through the firewall for port 443. This is where I called a halt. My point being that the vendor is asking us to punch a hole through our firewall with a generic plug-proxy, to allow proprietary software written by yet another party, running on a server on our LAN over which we have no administrative control and we have no idea how well either the server or the code running on it is secured, to communicate with servers on the 'net over which we have also no administrative control. Vendor: "Well if it's just port 443 and you specify just our internal server on your LAN and a specific set of known servers on the Internet..." Me: "Gee, how 'bout we just run an Ethernet cable between their LANs and ours?" Vendor: "The other beta sites did it." Me: "And people wonder how they get 0wn3d?" I know I was exaggerating a bit with that "Ethernet cable" thing, but somehow all this struck me as a Very Bad Idea. It seems to me that the modules on the Win2k server that are trying to HTTPS through our firewall *ought* to be able to use the existing proxy server. The browsers manage it. Assuming I'm right, and the vendors are incapable of or unwilling to fix their code, I *might* be able to fire up a separate instance of the HTTP/HTTPS proxy on port 443. But lacking either of these resolutions: am I being *too* paranoid in balking at configuring a TCP plug-proxy as requested? ISTM that once a connection is established by the inside (unsecured and unsafe, I must assume) server, *anything* could be passed back- and-forth over such a connection, not so? Not the least of which would be ActiveX controls, which, as I mentioned, we disallow from outside. TIA, Jim -- Jim Seymour | PGP Public Key available at: jseymour () LinxNet com | http://www.uk.pgp.net/pgpnet/pks-commands.html http://jimsun.LinxNet.com | _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Too Paranoid? Jim Seymour (Sep 29)
- Re: Too Paranoid? Paul D. Robertson (Sep 29)
- Re: Too Paranoid? James Triplett (Sep 29)
- Re: Too Paranoid? R. DuFresne (Sep 29)
- Re: Too Paranoid? Dave Piscitello (Sep 29)
- Re: Too Paranoid? Frederick M Avolio (Sep 29)
- Re: Too Paranoid? Dave Piscitello (Sep 29)
- Re: Too Paranoid? Bennett Todd (Sep 30)
- Re: Too Paranoid? Adam Shostack (Sep 30)