Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations wOOdy-Soft on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

A I secure? 4

Status
Not open for further replies.
jkeeper

jkeeper

MIS
Jul 19, 2000
69
US
Helllo,

I have a nagging question?

We have a Win 2000 domain. We have applied all the latest patches, we have firewall in place. My concern is we have users that connect to the Domain from home and some work locations from across the State. Using Win95 to WinXP, we have never tweaked thses machines for security or the latest patches. When these users connect to the network for
any reason, are we secure??

JKeeper
 
Sort by date Sort by votes
Absolutley not. Who knows what's on those machines? At a minimum you need to have a written policy specifying that home workers use an approved virus checker, update their definitions at certain intervals, have specified service packs applied, have certain features disabled, etc. Also, if they are on a broadband connection specify a firewall and maybe even a NAT box, etc. Make the users sign an agreement to follow this policy before granting remote connection permission.

If necessary, get managements approval to purchase these things for home workers, disallow home work. You can't necessarily verify that everything is being done as specified but you at least have a basic minimum level of security communicated to the users and an attempt to get them to conform. That's better than the completely open, unknown holes you have now.
Jeff
I haven't lost my mind - I know it's backed up on tape somewhere ....
 
Upvote 0 Downvote
Sorry, for a minute I thought you said Win 95....

Oh, I hope you have insurance.

At the very least implement what Jeff said but please, ditch 95 or you could be in for serious trouble.

How do you authenticate users. Is it with a random key using a radius server or specific software such as Defender?

If you have a firewall in place does it support VPN's such as Raptor Mobile while is designed for remote users.

As things stand patches and updates are all well and good, but only to a point. Refering back to Jeff again. If they have broadband always on connections on VERY hackable PC's which are connected to your network........need I say more.

I suggest you have a full and frank chat with your directors.

On a more proactive note you could consider the folling:

Disconnect remote users and catalogue their loss of functionality.
Calculate any loss of revenue through this stance.
Calculate loss of revenue from an imaginary security breach.
Prepare a risk assessment and cost analysis for an upgrade based on the above and present it to management.

If you can prove that improved security will generate profits or at least prevent loss of funds or corporate image you will stand a better chance of securing budgetary approval.

Have fun

Brian
 
Upvote 0 Downvote
If I am correct: This is exactly the Configuration that was active during the Microsoft Hack in 2000. Worm QAZ has been placed into the Computer of such a "Homeworker".
hnd
hasso55@yahoo.com

 
Upvote 0 Downvote
Well, both of you have gotten my attention. Some user us dial up (modem) and some use cable. Modem users come through another state agency that provides internet services. Or use to, I have heard talk of ditching that services for cost reasons. Other user use Isdn, and cable.

The latter mentioned do come through a firewall but still I
wonder if we need to tweak these machines. We have not, and I did raise this question but was told because of the fire wall things would be ok??????

Based on what you two say, the fire wall is not an all and all. Now that I have added some information, do you still feel that I need to make haste and lock down the system with major changes?

Thanks for your advice and I will get on it.

JKeeper
 
Upvote 0 Downvote
A firewall only keep untrusted machines out of your systems. By definition, home workers connecting through your firewall are trusted. But, since they are remote machines they are outside your physical plant and are not secure. So, you now have open, unsecure machines that have a direct path into your internal network. Not cool. The external machines need to be as secure as you can make them.
Jeff
I haven't lost my mind - I know it's backed up on tape somewhere ....
 
Upvote 0 Downvote
The firewall actually makes your issue more serious.

A hackers goal is to infiltrate an internal network on the back of a trusted host, ie all your insecure mobile users. These machines authenticate and are then trusted implicitly.

Yes lock them down.

I would suggest using dial back also. Although a hacker can redirect this it is another layer of defence. Defence in Depth. The more crap they have to get round the sooner they will get bored.

I would suggest that these users also have to go through stricter log on procedures, possibly including biometrics before they connect remotely. I would also ensure that connections are dropped after a period of inactivity and that the logs are checked regularly to identify abnormal use. Remember logs can be doctored so realtime log checking is a must to establish what is normal.

God I do go on dont I.

On a more serious note, upgrade to a more robust OS such as Win 2000 for remote users. As you have this sort of network it makes sense to support one OS only. This will also save you money on licensing if you can increase your current licence threshold to include these users.

Thoughts anyone.

Brian
 
Upvote 0 Downvote
I am glad that you mention "connections being dropped after a period of inactivity. I know for a fact that some time you will be dropped, and then sometime the connection remains for 10, 24, 36 hours with no activity what so ever??? Using the latest Cisco Fire Wall hardware???

What's with that?
 
Upvote 0 Downvote
Firewalls are only as good as the rules and filters they have had set up on them.

Your authentication server should be dropping the connection not the firewall. You can set access times for individual hosts and force them to drop at a certain time of day, that gets round the 36 hours hackers paradise you currently offer. The firewall can do this but thats not its job.

I wouldnt advise advertising your external IP address on the net.

Brian
 
Upvote 0 Downvote
I just got back. And thanks to all that has given advice and information that has educated me. Right now users a using a VPN Client to authenticate. The NT Network manager dose not like this method at all. That is one reason I asked this question. Documentation from people in the know.

Thanks a lot.
 
Upvote 0 Downvote
VPN's do two things:

1) Assure you that people connecting are who they say they are (well, reasonably assure you)

2) Prevent eavesdropping as the packets fly about the Internet.

What they don't do is protect the end-points of the connection -- the home PC and the datacenter. You've probably taken steps to protect the datacenter (firewalls, virus scanners, etc). But until you protect the other end of the VPN, it can act as a tunnel past your datacenter's protection mechanisms.

One thing you can do is establish a "DMZ" for VPN users. This is a section of your network that is not public, but not 100% trusted, either. You'd have another firewall between the DMZ and your internal networks.

Chip H.
 
Upvote 0 Downvote
Thanks Chip,

We do have a DMZ in place. I guess we are on the right track and doing a lot of things right. I just thought that
the remote users machines was a very weak link or direct link to our internal network. You guys have give me great information and insight. Many thanks to you all, man I love this site!

Jkeeper
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Miluis
  • Locked
  • Question
How necessary is an antivirus?
Replies
3
Views
278
Rick998
Rick998
Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
1K
Sameer258
Sameer258
XLNTech1
  • Locked
  • Question
iptables port forwarding
Replies
0
Views
678
XLNTech1
XLNTech1
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
799
Johnkite
Johnkite
Sparrow4
  • Locked
  • Question
AnyConnect + Azure + SAML
Replies
0
Views
634
Sparrow4
Sparrow4

Part and Inventory Search

Sponsor

Back
Top