Re: Internal POP3 users

["steve" <securityfocus () delahunty com>]

Why let them inside your corporate network at all.  As you sort of suggested
in your posting, keep them off your corporate network, VLAN, or something.
You could even set up a subnet using some simple switching router device
like a Linksys switch that provides DHCP and have that hooked up to your
DMZ.  If no DMZ then some way to put that directly into your router while
not allowing traffic back to your corporate network.

This is like having some guy do work on my fence at my house, he doens't
need to have access to my house in order to do that work.

Obviously POP3 was in the subject, likely these outside folks needed to have
that allowed while maybe inside users usually don't get that option.


----- Original Message ----- 
From: "David Gillett" <gillettdavid () fhda edu>
To: "'Christopher Herrmann'" <CHerrmann () oddfellows com au>;
"'Security-Basics (E-mail)'" <security-basics () securityfocus com>
Sent: Wednesday, March 03, 2004 1:13 PM
Subject: RE: Internal POP3 users


  Why is it "a major security concern"?  Are you supposed to be
providing them with connectivity, or not?  If you are, DHCP
service is kind of the least you can do.
  Do you have resources that you want to protect, that are not
adequately protected by your domain authorizations?  What kind
of resources are they?

  If you want to keep them off of the segment where your domain
is, then yes, you need to put them on a separate segment and
implement some kind of policy enforcement where the segments
meet.  If you're trying to restrict what they can do with the
bandwidth you provide them, that's a different problem with a
different set of answers.

  And what does this have to do with POP3?

David Gillett


> -----Original Message-----
> From: Christopher Herrmann [mailto:CHerrmann () oddfellows com au]
> Sent: Tuesday, March 02, 2004 5:01 PM
> To: Security-Basics (E-mail)
> Subject: Internal POP3 users
>
>
> Hi,
>
> I have a number of users sharing our Internet connection who do not
> authenticate to my NT network (they are to all intents and purposes,
> different companies in the same building). However they all
> use the same
> DHCP service (from my NT server).  This is a major security
> concern. What
> are some of the ways I might separate the traffic generated on their
> machines from my main network?
> I understand segmentation is one option, but how do I
> distinguish between
> those machines? Should I move the DHCP to the router for instance?
>
> Any ideas would be welcome.
>
> Christopher Herrmann
> IT Manager
>
> ==============================================================
> ==========
>    This message has been scanned for spam & viruses by Mail Sleuth.
>    To report SPAM forward the message to:    spam () mailsleuth com au
>    Mail Sleuth                                www.mailsleuth.com.au
> ==============================================================
> ==========
>
>
> --------------------------------------------------------------
> -------------
> Free 30-day trial: firewall with virus/spam protection, URL
> filtering, VPN,
> wireless security
>
> Protect your network against hackers, viruses, spam and other
> risks with Astaro
> Security Linux, the comprehensive security solution that combines six
> applications in one software solution for ease of use and
> lower total cost of
> ownership.
>
> Download your free trial at
> http://www.securityfocus.com/sponsor/Astaro_security-basics_040301
> --------------------------------------------------------------
> --------------

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the
skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.htm
----------------------------------------------------------------------------


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------