Re: [fw-wiz] Too Paranoid?

From: Flemming Laugaard (flemming@laugaard.dk)
Date: 09/29/02


From: Flemming Laugaard <flemming@laugaard.dk>
To: firewall-wizards@honor.icsalabs.com
Date: Sun Sep 29 19:32:32 2002

Hi Jim

> vendor of this lash-up wanted me to punch a hole through the
> firewall for port 443.

If you allow this configuration, you are unable to analyze what's
going on. You have no way of analyzing the port 443 traffic. The provider
_must_ be able to use a proxy. If not, the application is not worth
getting on your network, Security-wise.

The provider must :

Document their application
Document the computer configuration
Document the security measures taken to secure the system
Prove to you that the system is secure
Explain their (imho) poor platform choice

If this server really is needed in your company, I would place it on
a seperate interface on the firewall, and be _really_ strict in the
firewall's rulebase.

Hope you understand what I wrote. I'm not a native english speaking person.

-- 
Kind regards
Flemming Laugaard
------------------------------------
Prof:    So the American government went to IBM to come up with a data
	 encryption standard and they came up with ...
Student: EBCDIC!"


Relevant Pages

  • Re: Protein folding (prion) home computer assistance
    ... priviliges and if port UDP port 8080 has to be opened to Internet ... I use an Eztrust firewall which is the same as ZoneAlarm. ... Your comment regarding configuration advice reminds me of advice that I ... and he was uncertain whether your pc was a server. ...
    (soc.retirement)
  • Re: Protein folding (prion) home computer assistance
    ... priviliges and if port UDP port 8080 has to be opened to Internet ... I use an Eztrust firewall which is the same as ZoneAlarm. ... Your comment regarding configuration advice reminds me of advice that I once got from a highly respected Computer Scientist, "Computer Scientists do not simplify, they complicate everything they touch." ... He is using Berkeley's boinc not Stanford's, and he was uncertain whether your pc was a server. ...
    (soc.retirement)
  • RE: Cant telnet port 25 from server but can from other client
    ... So that's why I don't think the firewall is turned on. ... network configuration in the CEICW has always failed from day one, ... Ethernet adapter Server Local Area Connection: ... telnet to it either on port 25 but it can ping it. ...
    (microsoft.public.windows.server.sbs)
  • Re: ftp-proxy (again)
    ... I can't quote you my precise configuration because I'm using Firewall ... to connect to any host on the Internet on port 21/tcp (FTP). ...
    (comp.unix.bsd.freebsd.misc)
  • Spurious completions during NCQ
    ... support DPO or FUA ... ACPI: PM-Timer IO Port: 0x408 ... Using ACPI for SMP configuration information ...
    (Linux-Kernel)