Firewall Wizards mailing list archives

Re: Too Paranoid?

From: Flemming Laugaard <flemming () laugaard dk>
Date: Sun, 29 Sep 2002 23:07:43 +0200

Hi Jim

vendor of this lash-up wanted me to punch a hole through the
firewall for port 443.


If you allow this configuration, you are unable to analyze what's 
going on. You have no way of analyzing the port 443 traffic. The provider 
_must_ be able to use a proxy. If not, the application is not worth 
getting on your network, Security-wise.

The provider must :

Document their application
Document the computer configuration
Document the security measures taken to secure the system
Prove to you that the system is secure
Explain their (imho) poor platform choice

If this server really is needed in your company, I would place it on
a seperate interface on the firewall, and be _really_ strict in the 
firewall's rulebase.

Hope you understand what I wrote. I'm not a native english speaking person.

-- 
Kind regards
Flemming Laugaard
------------------------------------
Prof:    So the American government went to IBM to come up with a data
         encryption standard and they came up with ...
Student: EBCDIC!"
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Too Paranoid? Jim Seymour (Sep 29)
- Re: Too Paranoid? Paul D. Robertson (Sep 29)
- Re: Too Paranoid? James Triplett (Sep 29)
  - Re: Too Paranoid? R. DuFresne (Sep 29)
  - Re: Too Paranoid? Dave Piscitello (Sep 29)
    - Re: Too Paranoid? Frederick M Avolio (Sep 29)
    - Re: Too Paranoid? Dave Piscitello (Sep 29)
    - Re: Too Paranoid? Bennett Todd (Sep 30)
    - Re: Too Paranoid? Adam Shostack (Sep 30)
- Re: Too Paranoid? Flemming Laugaard (Sep 29)