Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Managed Firewall Service - Opinions

From: Mark Tinberg <mtinberg () securepipe com>
Date: Thu, 24 Apr 2003 18:10:22 -0500 (CDT)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, 21 Apr 2003, Dave Piscitello wrote:


Example. Company A hires MSSP B to run their firewall.
Company A installs 3rd party software and server for vacation rental business.
Company C manages this server and insists that they have telnet access to
their server. While MSSP B might advise against inbound telnet, Company A
chooses to go with Company C's recommended "safe telnet" configuration
(inbound only from their remote administration IP address) and insists MSSP
B allow the
service.

Company A is acting unwisely. Company C is introducing a vulnerability and risk
many would deem unacceptable. MSSP does what the customer asks.



Just to play devil's advocate for a moment on the technical issues, this
scenario is probably much better than what would exist without MSSP B.
I've helped migrate several small businesses that already had firewalls to
our product (I too am at an MSSP) and many of the rulesets that they or
their consultants set up are truly atrocious.  In this case the risk has
been reduced to information disclosure on the network infrastructure
between Company A and Company C, potential session hijacking and spoofed
logins using sniffed credentials (which is mitigated by having a
reasonable packet filter that is doing some ISN normalization and/or a
reasonable OS TCP stack that is difficult to spoof connections with).
This is better than worldwide telnet access and reduces the risk to mainly
more dedicated and knowledgeable attackers who have access to the
in-between network infrastructure, not every PFY with a script or
automated worm.  For many businesses this is an acceptable level of risk.

We all want as close to perfect security as we can reasonably get, I'm
sure, but that's not possible in the real world.  Sometimes you have to be
satisfied with "better" or "good enough" rather than "perfect".

- -- 
Mark Tinberg <MTinberg () securepipe com>
Network Security Engineer, SecurePipe Inc.
Key fingerprint = FAEF 15E4 FEB3 08E8 66D5  A1A1 16EE C5E4 E523 6C67

        Your daily fortune . . .

PS:  I don't have a magical security bunny, but I do have a Ryo-Ohki, does
     that count?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/

iEYEARECAAYFAj6obt8ACgkQFu7F5OUjbGeM9wCcDTaJSzkEDeVS/U7Lz8FrzFWs
C+IAnjvJ/KfY9hJ2hTUR+YnmWeqq9ebT
=HKCm
-----END PGP SIGNATURE-----
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: