Re: Defeating Firewalls: Sneaking Into Office Computers From Home
From: Leythos (void_at_nowhere.lan)
Date: 08/17/05
- Next message: Moe Trin: "Re: Nmap questions concering my router"
- Previous message: Glen McLean: "Re: Version 6"
- Maybe in reply to: manu: "Defeating Firewalls: Sneaking Into Office Computers From Home"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 16 Aug 2005 23:33:51 GMT
In article <lLGdnf69Jppi7p_eRVn-uw@comcast.com>, charlesnewman1
@comcast.do.not.spam.me.net says...
>
> "Leythos" <void@nowhere.lan> wrote in message
> news:MPG.1d6abc27bbbd0b5a989bcb@news-server.columbus.rr.com...
> > In article <09qdnULrbubpTZ3eRVn-tg@giganews.com>, Frank@SPAM2TRASH.com
> > says...
> > > > In this paper, I discuss a technique to get into your office computer
> > > > using ssh tunneling with some cool tricks.
> > >
> > > Man! All in all, bickering aside, this has been a very good thread. In
> it
> > > you will find a lot of good info, some technical, some philosophical,
> some
> > > efficiency oriented, but lots of good info. This thread is a very good
> > > example, IMHO, about how there is no such thing as a "one-size-fits-all"
> > > solution and it underscores the need to do a careful analysis of
> business
> > > and customer requirements, before blindly applying a cookie-cutter
> generic
> > > solution.
> > >
> > > Additionally, by observing the controversy in this thread amongst IT
> > > professionals, it will give you some idea about why it can be so
> difficult
> > > to interface with other networks. Each network "owner" has their own
> ideas
> > > about security and network policies. I have spent a good portion of my
> time
> > > in IT negotiating a consensus amongst network owner to allow some form
> of
> > > connectivity.
> > >
> > > Anyway, interesting stuff I think :)
> >
> > Yep, it's always good to "discuss" the ideals and methods and levels of
> > security as seen from different angles.
> >
> > Like you, I've had to "deal" with IT groups that wanted full access to
> > our network just to access our data in a SQL or Oracle server - and all
> > they really needed is a view or an export on a nightly basis. I had one
> > company tell us they needed SA access for their application to run
> > properly (and it was just a reporting tool)! I've also seen vendors that
> > are partners that can't setup their appliances and other firewalls to
> > work with anything except their own vendors solution - like a business
> > partner that needs access via port xyz to IP a.b.c.d in your network,
> > but, they want an open connection instead of a VPN with IP/Port to
> > IP/Port restrictions.
> >
> > What we find most times is that it's not a technology barrier, it's a
> > willingness (really it's experience and understanding) of the external
> > IT source to do more than the minimum needed.
> >
> > He're a good example of what I consider standard security measures:
> >
> > 1) User at office wants to work from home, want's to be able to access
> > things as though they were at the office.
> >
> > 2) User has their own unmanaged PC at home, and is considered
> > compromised by us until proven otherwise.
> >
> > 3) User is behind a NAT device - thank god.
> >
> > We would give them a cheap PC, setup in our shop, with our security
> > measures, and basically locked down so that they can only logon to a
> > desktop with a PPTP Connection icon and a Remote Desktop Icon.
> >
> > When the user gets on this computer they boot up, not auto VPN
> > connection, they click the PPTP Icon, enter a user/password that is NOT
> > part of the Windows network and start the login process.
> >
> > The firewall appliance acts as a PPTP termination point and each user is
> > setup by the admin with a different user/password than the users domain
> > account (windows). Each user has a specific rule that only allows Remote
> > Desktop 3389 from their PPTP session to their specific workstation (or
> > to the terminal server if the company has one).
> >
> > If they authenticate with the firewall properly they double click the RD
> > icon and are presented with a user/password prompt again - this one for
> > the domain and it lets them into their Workstation at their desk (or the
> > TS in their department).
> >
> > The RD is setup to not map COM/LPT ports and does not permit file
> > sharing - the only port that is mapped through is 3389, so they can't
> > map a connection to anything else.
>
> RD can be configured so that no file transfer can
> take place, so you could actually safely allow them
> to RD to their home machines. Just make sure that
> an adminstrator level user has disabled any
> file transfers on remote desktop, and that should
> do it. Then they can go in/out without viruses
> going in or out.
If there is actually applications that provide functionality that is
needed, so much so that the user would be working remotely into their
home computer, then the business would purchase it if there was ROI for
it. If the user just needs access to the home computer for anything,
they can wait until they get home.
I've never found a user that had a valid business reason to access their
home PC from the office.
-- spam999free@rrohio.com remove 999 in order to email me
- Next message: Moe Trin: "Re: Nmap questions concering my router"
- Previous message: Glen McLean: "Re: Version 6"
- Maybe in reply to: manu: "Defeating Firewalls: Sneaking Into Office Computers From Home"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
