Re: [fw-wiz] Too Paranoid?

From: R. DuFresne (dufresne@sysinfo.com)
Date: 09/29/02


From: "R. DuFresne" <dufresne@sysinfo.com>
To: James Triplett <james@thelix.net>
Date: Sun Sep 29 19:32:01 2002


Even with this system cordoned-off to the DMZ, is this not where the
lawyers come into play to establish a responsibility clause into the SLA
such that any lose or expense incurred due to a compromise of the server
they maintain on your DMZ or their system/network that cause such lose and
expense to you due to a compromise is their responsibility finacially to
cover, perhaps with additional penalties under such circumstances?

Thanks,

Ron DuFresne

On Sun, 29 Sep 2002, James Triplett wrote:

> There are two sides to this question: technical and political.
> On the technical side, there may be ways (DMZ net, etc) to control
> the exposure.
>
> But, I think the most important here has to do with policies (i.e.,
> politics).
>
> You are responsible for the security of your network. ANY vendor
> who wants to put equipment on that network, not matter how big
> and impressive (my bet here is we're talking about ADP)- must be
> willing to demonstrate to your satisfaction that their system is secure.
>
> Only by pushing back, can we force these behemoths to take security
> seriously. We all know that a single unsecured port is all it takes.
> Even worse if that port is passing https which means you can't
> observe what's going on over that port.
>
> Stick to your guns!
> ----james
>
> > X-AntiVirus: scanned for viruses by AMaViS 0.2x2 at thelix.net
> >
> > Hi,
> >
> > I have a particular situation at work, and I wonder if I'm being
> > *too* paranoid. I'll only be able to discuss the situation in
> > somewhat vague terms because of a non-disclosure agreement.
> >
> > A vendor wants to install a system on our LAN that uses a MS-Win2k
> > server. This server is completely a turn-key system. We don't touch
> > it. Proprietary server software runs on this server and proprietary
> > software to talk to the server runs on one-or-more MS-Win desktops.
> > They use ActiveX controls. The server, in turn, must communicate
> > through my firewall, using HTTPS, to multiple servers on the Internet
> > which are, in turn under the control of yet *other* entities. Now
> > all this makes me nervous enough in the first place. We have no
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart
testing, only testing, and damn good at it too!


Relevant Pages

  • Re: Unable to join AD domain from DMZ network
    ... the server from the DMZ registered the ... unless you lock it down to a specific port. ... authentication from DMZ to 2003 AD internal network. ...
    (microsoft.public.windows.server.active_directory)
  • Re: OWA connectivity
    ... First though I'd like to admit I made a mistake in talking about SMTP port ... Secondly opening these ports from your DMZ towards your LAN is not insecure ... Whether or not you use a proxy server in this setup is up to you. ... I feel is not a true firewall and should be used as ...
    (microsoft.public.exchange.admin)
  • Re: Unable to join AD domain from DMZ network
    ... > the captured traffic between the server in DMZ to the DC from internal ... >> unless you lock it down to a specific port. ... >>> authentication from DMZ to 2003 AD internal network. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Exchange 2003 OWA over HTTPS authentication delay
    ... > also the PDC/GC server. ... > DMZ to LAN ... > **Port 55000 has been configured as the target RPC port on the DC. ...
    (microsoft.public.exchange.connectivity)
  • Re: Does this article apply to Exchange 2003 / Windows 2003?
    ... Putting a front-end server in a DMZ is tantamount to militarizing the DMZ. ... RPC is used in the user authentication process on the F/E (using forms ... desribes how to restrict the RPC traffic to a single port, ...
    (microsoft.public.exchange.admin)