Ken,
Anytime there is a 3rd party network connected at what we'll call a
perimeter boundary, there should be acceptable controls applied to limit
what traffic is allowed. Whether that's a full-fledged firewall or merely a
router with appropriate ACLs is up to you and your organization.
Not to be a smart-a$$, but what does your Corporate Security Policy state
with regards to connecting to 3rd party networks? If it doesn't take that
into account then perhaps a review of it might be in order before any
further changes are made to the network?
Regardless of the level of trust you may have for this other company, you
can't and shouldn't depend upon their security policy. Any potential
failures of theirs could make compromising yours that much easier.
Best advice is to limit traffic coming in/out of that network via ACLs on
the router and if you're really paranoid, go ahead and put a firewall either
on the network (network based) in front of the system or directly on the
system (host based).
Also, make sure the Solaris box is up to snuff with patches/AV/what have you
- even though you're only allowing the other company access to this one
system on your network, if it's compromised it could be used as a
jumping-off point to attack the rest of your network. Again, appropriate
ACLs to limit what can come/go to this system will go a long way to keeping
your network secure.
And your concerns for the telco - I'd have to say they're unfounded. But if
you're really paranoid about it, go ahead and establish a VPN using the
routers at each end to encrypt the traffic through this point-to-point and
then it can't be snooped.
If you're noticing a pattern, it's there for a reason: Defense in Depth.
Multiple layers - they are your friend.
HTH.
Brandon Fetch
817-871-4036
-- carpe ductum -- "Grab the tape"
-----Original Message-----
From: K Shen [mailto:kelvinshen@yahoo.com]
Sent: Wednesday, August 25, 2004 2:29 PM
To: firewalls@securityfocus.com
Subject: x.25 link running HDLC does not need firewall?
You gurus out there please kindly enlighten me on whether we need a firewall
for this scenario and if so, what product would support this:
The bank I work for has a x.25 HDLC serial point to point link to a stock
exchange. The link is via leased lines provided by a vendor, which goes
through 2 telecom exchanges between us and destination. The connection
between our application server (solaris 2.6) and the stock exchange is
initiated by us. This application server is connected to the rest of my
internal network via tcp/ip. This solaris server is not hardened.
Without a firewall in between the stock exchange and my application server,
would there be a way an attacker from the stock exchange, or from the telco
line vendor, could potentially hack into my solaris box or tunnel through to
my internal tcp/ip lan? Any specific examples would be greatly appreciated!
This message is intended only for the person(s) to which it is addressed
and may contain privileged, confidential and/or insider information.
If you have received this communication in error, please notify us
immediately by replying to the message and deleting it from your computer.
Any disclosure, copying, distribution, or the taking of any action concerning
the contents of this message and any attachment(s) by anyone other
than the named recipient(s) is strictly prohibited.
