Re: [fw-wiz] Too Paranoid?

From: R. DuFresne (
Date: 09/29/02

From: "R. DuFresne" <>
To: James Triplett <>
Date: Sun Sep 29 19:32:01 2002

Even with this system cordoned-off to the DMZ, is this not where the
lawyers come into play to establish a responsibility clause into the SLA
such that any lose or expense incurred due to a compromise of the server
they maintain on your DMZ or their system/network that cause such lose and
expense to you due to a compromise is their responsibility finacially to
cover, perhaps with additional penalties under such circumstances?


Ron DuFresne

On Sun, 29 Sep 2002, James Triplett wrote:

> There are two sides to this question: technical and political.
> On the technical side, there may be ways (DMZ net, etc) to control
> the exposure.
> But, I think the most important here has to do with policies (i.e.,
> politics).
> You are responsible for the security of your network. ANY vendor
> who wants to put equipment on that network, not matter how big
> and impressive (my bet here is we're talking about ADP)- must be
> willing to demonstrate to your satisfaction that their system is secure.
> Only by pushing back, can we force these behemoths to take security
> seriously. We all know that a single unsecured port is all it takes.
> Even worse if that port is passing https which means you can't
> observe what's going on over that port.
> Stick to your guns!
> ----james
> > X-AntiVirus: scanned for viruses by AMaViS 0.2x2 at
> >
> > Hi,
> >
> > I have a particular situation at work, and I wonder if I'm being
> > *too* paranoid. I'll only be able to discuss the situation in
> > somewhat vague terms because of a non-disclosure agreement.
> >
> > A vendor wants to install a system on our LAN that uses a MS-Win2k
> > server. This server is completely a turn-key system. We don't touch
> > it. Proprietary server software runs on this server and proprietary
> > software to talk to the server runs on one-or-more MS-Win desktops.
> > They use ActiveX controls. The server, in turn, must communicate
> > through my firewall, using HTTPS, to multiple servers on the Internet
> > which are, in turn under the control of yet *other* entities. Now
> > all this makes me nervous enough in the first place. We have no
> _______________________________________________
> firewall-wizards mailing list

        admin & senior security consultant:
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart
testing, only testing, and damn good at it too!