Security Basics mailing list archives
RE: One computer two different networks
From: "Hagen, Eric" <hagene () DenverNewspaperAgency com>
Date: Wed, 11 Oct 2006 13:53:37 -0600
I have several anicdotes against these security meansures, while somewhat more secure than a "connect the nets" approach and a "dual-homed PCs" approach, it is only marginally so and still leaves security concerns that wouldn't be present in a strictly isolated environment. One concern from this would be a keylogger type trojan of some sort. There are a number of trojans out that will do passive keylogging and then intermittently try to "phone home" with the keylog dump. If the "phone home" doesn't work, it simply tries again later. So you could type a SECRET password and edit a SECRET document, then switch your cables around for "insecure" work and as soon as you hit the Internet, this Trojan sends it's queued secret data to the Internet. Another poster mentions the instance of caching data, which is another security bump. If these are standard Windows PCs rather than something like SELinux, there are an awful lot of footprints of your network, browsing and editing traffic left over on the system even after the cable is physically switched over. If secure documents are opened in a program such as MSWord, cache and temporary files with sensitive data will litter the harddrive. If you are using SMB sharing, the remote paths of files will be present in multiple places in the registry, etc. The Windows Swap file are also potential avenues for gaining access to insecure files. If someone is able to execute a privlege escalation and get superuser on your computer, they can use any number of forensic tools quietly and in the background, to analyze the system for secure data. I still believe that if you have a pressing enough security need to isolate an entire network, then no point on the network should be dual-homed (even non-physically, such as this solution), without greatly sacrificing security. Yes, this is better than simply having two NICs with different IP addresses and forces users to recognize when the switch from "insecure" to "secure" happens, so it is better than nothing, but it's only marginally better, so you need to make your determination with the understanding that you are poking a number of holes in your veil of security if you use a method such as this. Eric -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]On Behalf Of Chris Poulter Sent: Tuesday, October 10, 2006 8:45 PM To: Jamie Wareham; Santiago Barahona Cc: security-basics () securityfocus com Subject: RE: One computer two different networks The issue there depends on weather they have sensitive data/information from the secured network cached or stored on their PC's. If so, when they plug into the internet network, it "could" compromise that data... If they are dumb terminals or have no client side data and all the secured/sensitive data and information is server side on the secured network, then that obviously mitigates a large portion of that risk... Nice idea... -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Jamie Wareham Sent: Wednesday, 11 October 2006 4:20 AM To: Santiago Barahona Cc: security-basics () securityfocus com Subject: RE: One computer two different networks I have set up a dual network situation similar to what you need. This is how I accomplished the task. Set up separate networks (diff. IP ranges, server, switches, etc.). Then, you would run cabling from each network to a dual port outlet installed near each workstation and should be easily accessible for the user. Now, the user simply "unplugs" and "plugs" into the target server's wall outlet and runs a batch file (which the admin puts in their desktops) that runs a brief DHCP release/renew process and maps needed drives "on the fly". When they are done, just "plug" back into the other outlet and run the batch file again. Works like a charm. J~ -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Santiago Barahona Sent: Tuesday, October 10, 2006 10:04 AM To: security-basics () securityfocus com Subject: One computer two different networks Hi all, (First of all I want to apologise if I am misplacing this question, if so I'd appreciate if anyone could point me to the right direction) So here is the situation: We have about 250 computers that are isolated in a high-security network, we want to give internet access to those computer users without compromising the secured network...of course our first thought is to buy 250 computers so the users can switch between computers (one for the secure network, one for internet)... but that might not be most practical solution... So, I've been looking around and I've found a product called DATAGATE, from Tenix which works as a "Data Diode"... looks interesting... but I'd like to have a second opinion... Does anyone know about other products or techniques on how to accomplish this?? thanks! ------------------------------------------------------------------------ --- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus --------------------------------------------------------------------------- -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.408 / Virus Database: 268.13.2/471 - Release Date: 10/10/2006 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.408 / Virus Database: 268.13.2/471 - Release Date: 10/10/2006 --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus --------------------------------------------------------------------------- --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- RE: One computer two different networks, (continued)
- RE: One computer two different networks Adnan Rafik (Oct 13)
- RE: One computer two different networks Beauford, Jason (Oct 10)
- Re: One computer two different networks chris (Oct 10)
- Re: One computer two different networks dtodosichuk (Oct 10)
- RE: One computer two different networks Chris Poulter (Oct 11)
- RE: One computer two different networks Hagen, Eric (Oct 11)
- RE: One computer two different networks mn19522 (Oct 11)
- RE: One computer two different networks evb (Oct 11)
- Re: Re: One computer two different networks davidthomastuck (Oct 11)
- Re: One computer two different networks Steve (Oct 11)
- RE: One computer two different networks Hagen, Eric (Oct 11)
- Re: One computer two different networks krymson (Oct 11)
- Re: Re: One computer two different networks davidthomastuck (Oct 13)
- Re: Re: One computer two different networks anonymous (Oct 13)
- RE: One computer two different networks Hagen, Eric (Oct 13)
- Re: One computer two different networks Ansgar -59cobalt- Wiechers (Oct 15)
- RE: One computer two different networks Laundrup, Jens (Oct 13)
- Re: RE: One computer two different networks nigel_barnes (Oct 15)
- RE: One computer two different networks Hagen, Eric (Oct 16)
- Re: One computer two different networks Ansgar -59cobalt- Wiechers (Oct 16)