|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: [fw-wiz] Web access for everyone
From: Paul D. Robertson (proberts
clark.net)Date: Mon May 22 2000 - 06:44:40 CDT
- Next message: Darren Reed: "Re: [fw-wiz] ipchains cannot block dhcp"
- Previous message: Jeffery.Gieserminnesotamutual.com: "Re: [fw-wiz] UDP 500 and IP 50"
- In reply to: Alex Lim: "[fw-wiz] Web access for everyone"
- Next in thread: Alex Lim: "Re: [fw-wiz] Web access for everyone"
- Reply: Paul D. Robertson: "Re: [fw-wiz] Web access for everyone"
- Reply: Alex Lim: "Re: [fw-wiz] Web access for everyone"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Sun, 21 May 2000, Alex Lim wrote:
> Hi all,
>
> I am checking out on this scenario in order to make a proposal to my
> company.
>
> We have employees and system/network administrators who wanted web
> access from their desktops. Employees are allowed through the firewalls
> via a proxy. The risk that we can foresee is one in which a user
> download a virus or a trojan that works on a HTTP covert channel. So, an
> added counter-measure to this potential breach of the desktops is to
> install a virus shield and a personal IDS like BlackIce Defender.
You're also missing the risk of active content, especially ActiveX and the
newer COM-over-HTTP stuff (assuming MS products).
> However, for a system/network administrator who most likely has accesses
> to more sensitive servers and has more confidential data cached or filed
> in his desktop, I believe the risk is definitely much higher from the
> company's perspective. Other than removing that web access from the
> administrator, is there anything else that we can do to make the
> administrator PC more secured ?
You might have difficulties completely removing Web access as systems
support, security information, patches, and HR functions move to
Web-enabled applications.
> Your opinions or experiences pls ? Any comments will be appreciated.
I'd look seriously at remote display for at least critical users, running
the browser on a fairly well-protected machine and exporting the display
to the end-user desktop gives the advantage of not killing functionality
while still isolating external traffic to a more protected host. If that
host is filtered pretty heavily, things can probably be made reasonably
secure.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
probertsclark.net which may have no basis whatsoever in fact."
- Next message: Darren Reed: "Re: [fw-wiz] ipchains cannot block dhcp"
- Previous message: Jeffery.Gieserminnesotamutual.com: "Re: [fw-wiz] UDP 500 and IP 50"
- In reply to: Alex Lim: "[fw-wiz] Web access for everyone"
- Next in thread: Alex Lim: "Re: [fw-wiz] Web access for everyone"
- Reply: Paul D. Robertson: "Re: [fw-wiz] Web access for everyone"
- Reply: Alex Lim: "Re: [fw-wiz] Web access for everyone"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]