Too Paranoid?

[jseymour () LinxNet com (Jim Seymour)]

Hi,

I have a particular situation at work, and I wonder if I'm being
*too* paranoid.  I'll only be able to discuss the situation in
somewhat vague terms because of a non-disclosure agreement.

A vendor wants to install a system on our LAN that uses a MS-Win2k
server.  This server is completely a turn-key system.  We don't touch
it.  Proprietary server software runs on this server and proprietary
software to talk to the server runs on one-or-more MS-Win desktops.
They use ActiveX controls.  The server, in turn, must communicate
through my firewall, using HTTPS, to multiple servers on the Internet
which are, in turn under the control of yet *other* entities.  Now
all this makes me nervous enough in the first place.  We have no
experience with MS-Win2k.  (We use Unix/Linux in server roles and
various flavours of MS-Win on the desktops.)  We distrust ActiveX
and, in fact, do not allow it through our firewalls at all.

Plus, given some of the answers I've gotten from the people
responsible for this thing in discussing what I get into below, I
don't have a whole lot of confidence that they have even the
*mildest* clues regarding systems security, much-less writing secure
code.

Here's the problem.  Certain third-party modules the server software
uses to communicate to other servers on the 'net don't seem to be
able to deal with the proxy server on the firewall.  They're given
the IP address and port number, but they won't work that way.  The
vendor of this lash-up wanted me to punch a hole through the
firewall for port 443.

This is where I called a halt.  My point being that the vendor is
asking us to punch a hole through our firewall with a generic
plug-proxy, to allow proprietary software written by yet another
party, running on a server on our LAN over which we have no
administrative control and we have no idea how well either the server
or the code running on it is secured, to communicate with servers on
the 'net over which we have also no administrative control.

Vendor: "Well if it's just port 443 and you specify just our internal
         server on your LAN and a specific set of known servers on
         the Internet..."
    Me: "Gee, how 'bout we just run an Ethernet cable between their
         LANs and ours?"
Vendor: "The other beta sites did it."
    Me: "And people wonder how they get 0wn3d?"

I know I was exaggerating a bit with that "Ethernet cable" thing, but
somehow all this struck me as a Very Bad Idea.

It seems to me that the modules on the Win2k server that are trying
to HTTPS through our firewall *ought* to be able to use the existing
proxy server.  The browsers manage it.  Assuming I'm right, and the
vendors are incapable of or unwilling to fix their code, I *might* be
able to fire up a separate instance of the HTTP/HTTPS proxy on port
443.  But lacking either of these resolutions: am I being *too*
paranoid in balking at configuring a TCP plug-proxy as requested?
ISTM that once a connection is established by the inside (unsecured
and unsafe, I must assume) server, *anything* could be passed back-
and-forth over such a connection, not so?  Not the least of which
would be ActiveX controls, which, as I mentioned, we disallow from
outside.


TIA,
Jim
-- 
Jim Seymour                  | PGP Public Key available at:
jseymour () LinxNet com         | http://www.uk.pgp.net/pgpnet/pks-commands.html
http://jimsun.LinxNet.com    |
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards