Firewall Wizards mailing list archives
RE: Managed Firewall Service - Opinions
From: Mark Tinberg <mtinberg () securepipe com>
Date: Thu, 24 Apr 2003 18:10:22 -0500 (CDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 21 Apr 2003, Dave Piscitello wrote:
Example. Company A hires MSSP B to run their firewall. Company A installs 3rd party software and server for vacation rental business. Company C manages this server and insists that they have telnet access to their server. While MSSP B might advise against inbound telnet, Company A chooses to go with Company C's recommended "safe telnet" configuration (inbound only from their remote administration IP address) and insists MSSP B allow the service. Company A is acting unwisely. Company C is introducing a vulnerability and risk many would deem unacceptable. MSSP does what the customer asks.
Just to play devil's advocate for a moment on the technical issues, this scenario is probably much better than what would exist without MSSP B. I've helped migrate several small businesses that already had firewalls to our product (I too am at an MSSP) and many of the rulesets that they or their consultants set up are truly atrocious. In this case the risk has been reduced to information disclosure on the network infrastructure between Company A and Company C, potential session hijacking and spoofed logins using sniffed credentials (which is mitigated by having a reasonable packet filter that is doing some ISN normalization and/or a reasonable OS TCP stack that is difficult to spoof connections with). This is better than worldwide telnet access and reduces the risk to mainly more dedicated and knowledgeable attackers who have access to the in-between network infrastructure, not every PFY with a script or automated worm. For many businesses this is an acceptable level of risk. We all want as close to perfect security as we can reasonably get, I'm sure, but that's not possible in the real world. Sometimes you have to be satisfied with "better" or "good enough" rather than "perfect". - -- Mark Tinberg <MTinberg () securepipe com> Network Security Engineer, SecurePipe Inc. Key fingerprint = FAEF 15E4 FEB3 08E8 66D5 A1A1 16EE C5E4 E523 6C67 Your daily fortune . . . PS: I don't have a magical security bunny, but I do have a Ryo-Ohki, does that count? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iEYEARECAAYFAj6obt8ACgkQFu7F5OUjbGeM9wCcDTaJSzkEDeVS/U7Lz8FrzFWs C+IAnjvJ/KfY9hJ2hTUR+YnmWeqq9ebT =HKCm -----END PGP SIGNATURE----- _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Managed Firewall Service - Opinions, (continued)
- Re: Managed Firewall Service - Opinions Duncan Sharp (Apr 17)
- Re: Managed Firewall Service - Opinions R. DuFresne (Apr 18)
- Re: Managed Firewall Service - Opinions Mike Scher (Apr 18)
- PIX Config Problem Paul Stewart (Apr 22)
- Re: Managed Firewall Service - Opinions Duncan Sharp (Apr 17)
- Re: Managed Firewall Service - Opinions Mike Hoskins (Apr 18)
- Re: Managed Firewall Service - Opinions R. DuFresne (Apr 19)
- Re: Managed Firewall Service - Opinions Mike Hoskins (Apr 19)
- Re: Managed Firewall Service - Opinions R. DuFresne (Apr 19)
- RE: Managed Firewall Service - Opinions Behm, Jeffrey L. (Apr 19)
- RE: Managed Firewall Service - Opinions Melson, Paul (Apr 21)
- RE: Managed Firewall Service - Opinions Dave Piscitello (Apr 21)
- RE: Managed Firewall Service - Opinions Mark Tinberg (Apr 25)
- RE: Managed Firewall Service - Opinions Paul D. Robertson (Apr 21)
- RE: Managed Firewall Service - Opinions Dave Piscitello (Apr 21)
- RE: Managed Firewall Service - Opinions Melson, Paul (Apr 21)
- RE: Managed Firewall Service - Opinions Paul D. Robertson (Apr 21)
- RE: Managed Firewall Service - Opinions Melson, Paul (Apr 21)
- RE: Managed Firewall Service - Opinions Dave Piscitello (Apr 21)