RE: One computer two different networks

["Hagen, Eric" <hagene () DenverNewspaperAgency com>]

I have several anicdotes against these security meansures, while somewhat more secure than a "connect the nets" 
approach and a "dual-homed PCs" approach, it is only marginally so and still leaves security concerns that wouldn't be 
present in a strictly isolated environment.   

One concern from this would be a keylogger type trojan of some sort.   There are a number of trojans out that will do 
passive keylogging and then intermittently try to "phone home" with the keylog dump.  If the "phone home" doesn't work, 
it simply tries again later.  So you could type a SECRET password and edit a SECRET document, then switch your cables 
around for "insecure" work and as soon as you hit the Internet, this Trojan sends it's queued secret data to the 
Internet.

Another poster mentions the instance of caching data, which is another security bump.   If these are standard Windows 
PCs rather than something like SELinux, there are an awful lot of footprints of your network, browsing and editing 
traffic left over on the system even after the cable is physically switched over.   If secure documents  are opened in 
a program such as MSWord, cache and temporary files with sensitive data will litter the harddrive.  If you are using 
SMB sharing, the remote paths of files will be present in multiple places in the registry, etc.  The Windows Swap file 
are also potential avenues for gaining access to insecure files.  If someone is able to execute a privlege escalation 
and get superuser on your computer, they can use any number of forensic tools quietly and in the background, to analyze 
the system for secure data.

I still believe that if you have a pressing enough security need to isolate an entire network, then no point on the 
network should be dual-homed (even non-physically, such as this solution), without greatly sacrificing security.

Yes, this is better than simply having two NICs with different IP addresses and forces users to recognize when the 
switch from "insecure" to "secure" happens, so it is better than nothing, but it's only marginally better, so you need 
to make your determination with the understanding that you are poking a number of holes in your veil of security if you 
use a method such as this. 

Eric

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]On Behalf Of Chris Poulter
Sent: Tuesday, October 10, 2006 8:45 PM
To: Jamie Wareham; Santiago Barahona
Cc: security-basics () securityfocus com
Subject: RE: One computer two different networks


The issue there depends on weather they have sensitive data/information from the secured network cached or stored on 
their PC's. If so, when they plug into the internet network, it "could" compromise that data...

If they are dumb terminals or have no client side data and all the secured/sensitive data and information is server 
side on the secured network, then that obviously mitigates a large portion of that risk...

Nice idea...

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Jamie Wareham
Sent: Wednesday, 11 October 2006 4:20 AM
To: Santiago Barahona
Cc: security-basics () securityfocus com
Subject: RE: One computer two different networks

   I have set up a dual network situation similar to what you need.
This is how I accomplished the task.  Set up separate networks (diff. IP
ranges, server, switches, etc.).  Then, you would run cabling from each
network to a dual port outlet installed near each workstation and should
be easily accessible for the user. Now, the user simply "unplugs" and
"plugs" into the target server's wall outlet and runs a batch file
(which the admin puts in their desktops) that runs a brief DHCP
release/renew process and maps needed drives "on the fly". 

 When they are done, just "plug" back into the other outlet and run the
batch file again.  Works like a charm.

J~

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Santiago Barahona
Sent: Tuesday, October 10, 2006 10:04 AM
To: security-basics () securityfocus com
Subject: One computer two different networks

Hi all,

(First of all I want to apologise if I am misplacing this question, if
so I'd appreciate if anyone could point me to the right direction)

So here is the situation:

We have about 250 computers that are isolated in a high-security
network, we want to give internet access to those computer users without
compromising the secured network...of course our first thought is to buy
250 computers so the users can switch between computers (one for the
secure network, one for internet)... but that might not be most
practical solution...

So, I've been looking around and I've found a product called DATAGATE,
from Tenix which works as a "Data Diode"... looks interesting... but I'd
like to have a second opinion...

Does anyone know about other products or techniques on how to accomplish
this??

thanks!


------------------------------------------------------------------------
---
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has
designated Norwich University a center of Academic Excellence in
Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting
experience. 
Using interactive e-Learning technology, you can earn this esteemed
degree, without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
---


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------


-- 
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.408 / Virus Database: 268.13.2/471 - Release Date: 10/10/2006
 

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.408 / Virus Database: 268.13.2/471 - Release Date: 10/10/2006
 

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------