Firewall Wizards mailing list archives

Re: Too Paranoid?

From: "R. DuFresne" <dufresne () sysinfo com>
Date: Sun, 29 Sep 2002 13:24:47 -0400 (EDT)



Even with this system cordoned-off to the DMZ, is this not where the
lawyers come into play to establish a responsibility clause into the SLA
such that any lose or expense incurred due to a compromise of the server
they maintain on your DMZ or their system/network that cause such lose and
expense to you due to a compromise is their responsibility finacially to
cover, perhaps with additional penalties under such circumstances?

Thanks,

Ron DuFresne

On Sun, 29 Sep 2002, James Triplett wrote:

There are two sides to this question: technical and political.
On the technical side, there may be ways (DMZ net, etc) to control
the exposure.

But, I think the most important here has to do with policies (i.e.,
politics).

You are responsible for the security of your network.  ANY vendor
who wants to put equipment on that network, not matter how big
and impressive (my bet here is we're talking about ADP)- must be
willing to demonstrate to your satisfaction that their system is secure.

Only by pushing back, can we force these behemoths to take security
seriously.  We all know that a single unsecured port is all it takes.
Even worse if that port is passing https which means you can't 
observe what's going on over that port.  

Stick to your guns!
----james

X-AntiVirus: scanned for viruses by AMaViS 0.2x2 at thelix.net

Hi,

I have a particular situation at work, and I wonder if I'm being
*too* paranoid.  I'll only be able to discuss the situation in
somewhat vague terms because of a non-disclosure agreement.

A vendor wants to install a system on our LAN that uses a MS-Win2k
server.  This server is completely a turn-key system.  We don't touch
it.  Proprietary server software runs on this server and proprietary
software to talk to the server runs on one-or-more MS-Win desktops.
They use ActiveX controls.  The server, in turn, must communicate
through my firewall, using HTTPS, to multiple servers on the Internet
which are, in turn under the control of yet *other* entities.  Now
all this makes me nervous enough in the first place.  We have no

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Too Paranoid? Jim Seymour (Sep 29)
- Re: Too Paranoid? Paul D. Robertson (Sep 29)
- Re: Too Paranoid? James Triplett (Sep 29)
  - Re: Too Paranoid? R. DuFresne (Sep 29)
  - Re: Too Paranoid? Dave Piscitello (Sep 29)
    - Re: Too Paranoid? Frederick M Avolio (Sep 29)
    - Re: Too Paranoid? Dave Piscitello (Sep 29)
    - Re: Too Paranoid? Bennett Todd (Sep 30)
    - Re: Too Paranoid? Adam Shostack (Sep 30)
- Re: Too Paranoid? Flemming Laugaard (Sep 29)