RE: One computer two different networks

It would seem that the reason for having a secure network is of course
to guarantee it's secure. Allowing any direct access to the internet
from internal systems, even through a proxy or application layer
firewall (seems most have forgotten Microsoft's ISA server), would be an
unacceptable risk.

That being say we all know that politics usually wins over security. In
my opinion the best compromise would be a sort of hybrid solution,
utilizing a terminal server or Citrix box in a DMZ (such as already
suggested in a previous email) and the use of some sort of proxy or
application firewall (WebSweeper, ISA, Surf Control , etc, etc). This
should provide a reasonable amount a segregation to insure the integrity
of the secure network, while providing access and content control in
both directions while quarantining any malicious content in the DMZ.



-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Andrew Hay
Sent: Tuesday, October 10, 2006 7:00 PM
To: Santiago Barahona
Cc: security-basics@xxxxxxxxxxxxxxxxx
Subject: Re: One computer two different networks

If you have the budget to purchase 250 additional computers (250 * $400
= $100,000) then I would seriously consider investing that money in a
firewall with some sort of application layer filtering instead (like
CheckPoint/Cisco/Juniper with Websense/Aladdin/SurfControl).
Not only will you be able to protect your end users from malicious
Internet traffic but you'll be able to track policy violations (like
inappropriate site visits during company time). You can also enable a
per-session authentication method which would help you control/protect
your users and corporate environment.

If you want some more suggestions please let me know.
--
Andrew Hay [NSA/CCSE Plus/CCNA/Security+/RHCE/GCIA/SSP-MPA/SSP-CNSA]
blog: https://www.andrewhay.ca
email: andrewsmhay || at || gmail.com

On 10/10/06, Santiago Barahona <sant-bar@xxxxxxxxx> wrote:
Hi all,

(First of all I want to apologise if I am misplacing this question, if

so I'd appreciate if anyone could point me to the right direction)

So here is the situation:

We have about 250 computers that are isolated in a high-security
network, we want to give internet access to those computer users
without compromising the secured network...of course our first thought

is to buy 250 computers so the users can switch between computers (one

for the secure network, one for internet)... but that might not be
most practical solution...

So, I've been looking around and I've found a product called DATAGATE,

from Tenix which works as a "Data Diode"... looks interesting... but
I'd like to have a second opinion...

Does anyone know about other products or techniques on how to
accomplish this??

thanks!


----------------------------------------------------------------------
----- This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has

designated Norwich University a center of Academic Excellence in
Information Security. Our program offers unparalleled Infosec
management education and the case study affords you unmatched
consulting experience.
Using interactive e-Learning technology, you can earn this esteemed
degree, without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------
-----



------------------------------------------------------------------------
---
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has
designated Norwich University a center of Academic Excellence in
Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting
experience.
Using interactive e-Learning technology, you can earn this esteemed
degree, without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
---



**********************************************************************
Oscam Technical monitors, controls and protects all its messaging traffic in compliance with its corporate email policy using Clearswift products. Find out more about Oscam Technical and its anti-virus and content filtering solutions at www.oscamtechnical.com
**********************************************************************
This communication and any files transmitted with it are confidential and may contain privileged information intended solely for named addressee(s). It may not be used or disclosed except for the purpose for which it has been sent. If you are not the intended recipient, you must not copy, distribute, or take any action in reliance on it. Unless expressly stated, opinions in this message are those of the individual sender and not of Oscam Technical. If you have received this communication in error, please notify Oscam Technical by emailing oscamadmin@xxxxxxxxxxxxxxxxxx quoting the sender and delete the message and any attached documents and files. Oscam Technical accepts no liability or responsibility for an onward transmission or use of emails and attachments having left the Oscam Technical domain.

This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.

www.oscamtechnical.com
**********************************************************************


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------

Relevant Pages

  • RE: One computer two different networks
    ... I don't see this being all that useful in most cases and frankly and it definately doesn't solve the "access to the Internet" problem. ... EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE ... The NSA has designated Norwich University a center of Academic Excellence ... in Information Security. ...
    (Security-Basics)
  • Re: External Penetration Question
    ... if you have port forwarding setup on the router for any applications, that is an easy way in. ... it's sitting behind a firewall and all connections to the internet are NAT'd ... EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE ... The NSA has designated Norwich University a center of Academic Excellence ...
    (Security-Basics)
  • R: Pix to ASA migration
    ... That's right, fixup isn't needed in order to go out to the internet, it only ... EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE ... The NSA has designated Norwich University a center of Academic Excellence ...
    (Security-Basics)
  • RE: One computer two different networks
    ... Having come from the DoD where "secure network" means "no connection to ... the public internet", I struggle with allowing access to the internet ... On Behalf Of Santiago Barahona ... The NSA has designated Norwich University a center of Academic ...
    (Security-Basics)
  • Re: One computer two different networks - deploy a proxy
    ... Configure the proxy to be the ONLY way out of your secure network. ... We have about 250 computers that are isolated in a high-security network, ... EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE ... The NSA has designated Norwich University a center of Academic Excellence in Information Security. ...
    (Security-Basics)