Firewall Wizards mailing list archives
Re: Facts, not Fiction
From: Chris Brenton <cbrenton () sover net>
Date: Sat, 15 Nov 1997 05:49:35 -0500
chuck yerkes wrote:
Case 1: A pure Mac shop with an ISDN connection to the Internet. There are no internal IP services. Users connect through the ISDN connection in order to access POP mail from an ISP and browse the web.Except when someone puts telnet and accidently serves ftp with no passwords - allowing access to any machine on the mac network (that was a neat bug). Except when someone puts up a web server/ftp server. Except when someone starts using appleshare IP.
True, but a bit off thread. The point was that the security requirements of this shop differ from the second situation cited (i.e. a bank providing Internet services). One would hope that in the above situation NAT and access lists would be used as a minimum. I doubt they have a need for multiple firewalls however.
Case 2: A national bank running the latest UNISYS system with integrated NT server. System access is via IP. The bank has a T1 connection to the Internet and wishes to allow customers to administrate their bank accounts via the Internet.I won't comment on NT's ability to serve hugh volumes and reliability in a critical system - but yes, I'd expect the protection and the software to be much different. I'd be authenticating much harder and proxy the server with minimalist carefully audited software.
Exactly my point. I've dealt with one UNISYS Engineer that is responsible for doing installs on the above described platform. From his perspective "NT is C2 certified" and "has no known security holes". Scary stuff...
But when mom has a cable modem and her bank data is accessible to others due to simple, easy-to-do misconfiguration, that's a problem.
I've actually seen this. I have a friend with a cable modem who was showing me how he could browse shares on other people's systems. He's taken to storing large downloads that he's not sure if he wants to keep or not on other people's systems. Of course there is not a whole lot you can do on the firewall end with this one.
Firewalls give one point to focus security. The difference is that cheap places rarely secure the client machines. By giving them a solid firewall that mistake won't cost them their business.
Please refer to the tag message below. ;) Agreed, however I still see the use in performing a risk analysis to see just how much protection and what kind of outbound access is required. Cheers, Chris ************************************** cbrenton () sover net http://www.amazon.com/exec/obidos/ISBN=0782120822/0740-8883012-887529 Nothing is fool-proof to a sufficiently talented fool.
Current thread:
- Facts, not Fiction Hartmut . Fehling (Nov 07)
- Re: Facts, not Fiction Marcus J. Ranum (Nov 07)
- Re: Facts, not Fiction Darren Reed (Nov 08)
- Re: Facts, not Fiction Bennett Todd (Nov 10)
- <Possible follow-ups>
- Facts, not Fiction Andreas Siegert (Nov 12)
- Re: Facts, not Fiction Chris Brenton (Nov 13)
- Re: Facts, not Fiction Bennett Todd (Nov 14)
- Re: Facts, not Fiction Chris Brenton (Nov 14)
- Re: Facts, not Fiction chuck yerkes (Nov 14)
- Re: Facts, not Fiction Chris Brenton (Nov 15)
- Re: Facts, not Fiction Chris Brenton (Nov 13)
- Re: Facts, not Fiction Andreas Siegert (Nov 24)
- Re: Facts, not Fiction Marcus J. Ranum (Nov 07)