Re: pcAnywhere...Outbound Only.

From: Nuzman (nuzman@shreve.net)
Date: 01/28/03

  • Next message: Benjamin Meade: "RE: Need recommendations about IDS Systems" 
    From: "Nuzman" <nuzman@shreve.net>
To: <security-basics@securityfocus.com>
Date: Tue, 28 Jan 2003 14:38:37 -0600

    Working within reasonable limitations is always our challenge for security.
    I was taught practically that at least as far as the Internet connection
    goes, trust your internal users and don't trust the outside world. You can
    apply a security policy to this limiting services without restricting by
    user or IP and still be trusting of the inside world. Note, this does not
    mean you trust everyone inside with regard to specific internal or DMZ
    systems... only the perimeter.

    I think it's quite reasonable to allow all users pcAnywhere access to a
    specific address. I assume the same service to all other addresses is denied
    and only a very few people will ever know that specific address which is
    allowed.

    We do something similar in allowing Citrix access outbound to an outsourced
    HR server farm. We're not set up yet to be able to grant permissions through
    the firewall based on the network logon. Until we can do that, it is a
    reasonable risk to allow everyone access to that server farm since 99.8
    percent of the company have no idea they could or the address to access. We
    do restrict Citrix access out to all other addresses.

    Cheers!

    Nuzman

    ----- Original Message -----
    From: "tony toni" <tony572001@hotmail.com>
    To: <security-basics@securityfocus.com>
    Sent: Monday, January 27, 2003 8:44 PM
    Subject: pcAnywhere...Outbound Only.

    > Hi,
    >
    > We have a rule on our firewall that allows all employees to use pcAnywhere
    > to connect to a host OUTSIDE of our network. It is in one
    direction...that
    > is from inside our network to an outside host and not vise versa. Our
    > firewall administrator, came to me and asks me if I had any security
    issues
    > with this. He does not want the hassle of maintaining a list of employees
    > that can do this.
    >
    > I do not see any glaring problems doing this....what do you think?
    >
    >
    > Tony Graves
    > Security Services
    > Walton International Transportation Corp.
    > Seattle, Wa.
    >
    >
    >
    >
    > _________________________________________________________________
    > The new MSN 8: advanced junk mail protection and 2 months FREE*
    > http://join.msn.com/?page=features/junkmail
    >

    Relevant Pages

    • Re: Least User Priviledges for Network Administrators
      ... Trust how? ... Do we trust them to maintain network equipment? ... Do we trust them to observe proper security practices on the desktop, ... Training users that need administrator access to logon as a regular ...
      (microsoft.public.windowsxp.security_admin)
    • Alternatives to using a Personal Firewall
      ... environment without running a personal firewall. ... There is no such thing as full security on the internet. ... If directly connected to the internet, ... Do not run programs You don't trust. ...
      (comp.security.firewalls)
    • Re: Newsgroup filtering with host server software
      ... you cannot plug in to the customers network you can still get at your ... the internet before it hit my inbox. ... Practical UNIX and Internet Security Practical UNIX and Internet ...
      (comp.security.firewalls)
    • RE: can ping but not browse
      ... I have stopped the firewall. ... # are safed from all (security) hazards. ... firewall/bastion host to the internet ... # internet and to an internal network, ...
      (Fedora)
    • Re: netbios vuln
      ... > finally is it just the author of the article (who is not a security ... <<blah, blah, blah>> ... network protocols and services on thoses OSes such that, by default, ... nearly every such machine with an Internet connection will be ...
      (Incidents)