RE: [fw-wiz] Managed Firewall Service - Opinions
From: Mark Tinberg (mtinberg_at_securepipe.com)
Date: 04/25/03
- Previous message: Melson, Paul: "RE: [fw-wiz] rpc.statd message log"
- In reply to: Dave Piscitello: "RE: [fw-wiz] Managed Firewall Service - Opinions"
- Next in thread: Paul D. Robertson: "RE: [fw-wiz] Managed Firewall Service - Opinions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Dave Piscitello <dave@corecom.com> Date: Thu, 24 Apr 2003 18:10:22 -0500 (CDT)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Mon, 21 Apr 2003, Dave Piscitello wrote:
> Example. Company A hires MSSP B to run their firewall.
> Company A installs 3rd party software and server for vacation rental business.
> Company C manages this server and insists that they have telnet access to
> their server. While MSSP B might advise against inbound telnet, Company A
> chooses to go with Company C's recommended "safe telnet" configuration
> (inbound only from their remote administration IP address) and insists MSSP
> B allow the
> service.
>
> Company A is acting unwisely. Company C is introducing a vulnerability and risk
> many would deem unacceptable. MSSP does what the customer asks.
>
Just to play devil's advocate for a moment on the technical issues, this
scenario is probably much better than what would exist without MSSP B.
I've helped migrate several small businesses that already had firewalls to
our product (I too am at an MSSP) and many of the rulesets that they or
their consultants set up are truly atrocious. In this case the risk has
been reduced to information disclosure on the network infrastructure
between Company A and Company C, potential session hijacking and spoofed
logins using sniffed credentials (which is mitigated by having a
reasonable packet filter that is doing some ISN normalization and/or a
reasonable OS TCP stack that is difficult to spoof connections with).
This is better than worldwide telnet access and reduces the risk to mainly
more dedicated and knowledgeable attackers who have access to the
in-between network infrastructure, not every PFY with a script or
automated worm. For many businesses this is an acceptable level of risk.
We all want as close to perfect security as we can reasonably get, I'm
sure, but that's not possible in the real world. Sometimes you have to be
satisfied with "better" or "good enough" rather than "perfect".
- --
Mark Tinberg <MTinberg@securepipe.com>
Network Security Engineer, SecurePipe Inc.
Key fingerprint = FAEF 15E4 FEB3 08E8 66D5 A1A1 16EE C5E4 E523 6C67
Your daily fortune . . .
PS: I don't have a magical security bunny, but I do have a Ryo-Ohki, does
that count?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/
iEYEARECAAYFAj6obt8ACgkQFu7F5OUjbGeM9wCcDTaJSzkEDeVS/U7Lz8FrzFWs
C+IAnjvJ/KfY9hJ2hTUR+YnmWeqq9ebT
=HKCm
-----END PGP SIGNATURE-----
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Melson, Paul: "RE: [fw-wiz] rpc.statd message log"
- In reply to: Dave Piscitello: "RE: [fw-wiz] Managed Firewall Service - Opinions"
- Next in thread: Paul D. Robertson: "RE: [fw-wiz] Managed Firewall Service - Opinions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
