[Dshield] General security question

Stephane Grobety security at admin.fulgan.com
Mon Nov 25 08:06:28 GMT 2002


Change you proxy configuration to require a personal login and don't
give them one. If they need web access, deny then SSL login rights.

On the other hand, it might be advisable to allow them SOME external
access that you can control: people start to get touchy when you cut
them from their EMail and if you deny them SSL right, it's THEIR
server you force to make insecure (cleartext password on web access).

Good luck,
Stephane




VF> I have found people who work for associate companies (i.e. auditors)
VF> connect to our internal network. 
VF> They are served a valid dhcp address which then allows them to access
VF> the Internet via a valid proxy server.
VF> They are then using a piece of software which uses SSL to connect to an
VF> outside SSL server (similar to a clientless VPN). They are then able to
VF> transfer files to their machines into our network. 

VF> This does not seem very secure to me but "the business" allows our
VF> auditors to connect to our network and we do allow our internal users
VF> http access o the Internet. Since this traffic is all valid, according
VF> to our network structure (proxy, firewalls, etc), and because the
VF> traffic is SSL I cannot see what is really happening. Can I take any
VF> further steps to protect our internal network?




More information about the list mailing list