Re: Restricting Access to TCP/IP and DECnet

On Jan 30, 7:41 am, Jim Duff <spam.t...@xxxxxxxxx> wrote:
Bob Gezelter wrote:
On Jan 29, 6:58 pm, "Robert Jarratt" <nos...@xxxxxxx> wrote:
Is it possible to restrict access to TCP/IP (5.1) and DECnet (IV) on a
per-user basis? In other words I would like someone to be able to access my
machine, but not to go from that machine to anywhere else on the network.

Thanks

Rob

Rob,

WADU, I will have to disagree with Jim Duff. Restricting access to
particular images is a good idea, but since these are essentially non-
privileged images, a (somewhat) inventive user can circumvent the
security by finding and using copies of the images or equivalent from
his own directory.
[snip]

How is the user going to get a copy of the executable if it is marked
ACCESS=NONE?

Jim
--www.eight-cubed.com

Jim,

The comments that have been posted in the interim have mentioned
several various approaches that concern me.

Preventing access to executables has its utility, but it presumes that
the users being secured against have no capability of getting
executables on their own power.

From an auditing perspective, it is a far surer thing to prohibit
access to the device that serves as a mandatory gateway to the TCP/IP
stack (or to remove NETMBX, after verification that it is indeed
needed for ALL network accesses), than to say "Well, I have blocked
access to known network utilities". Blocking access to utilities is
akin to applications level controls, they have some utility, but they
are not airtight in the face of user belligerence, which is what
security measures are intended to prevent.

The recent high profile scandal at Societe General, which has been
reported widely (see http://www.nytimes.com/2008/01/29/business/worldbusiness/29trader.html
an article in The New York Times), clearly points out that security
and audit controls exist for the purpose of preventing deliberate
misuse, not casual accidents.

- Bob Gezelter, http://www.rlgsc.com
.

Relevant Pages

  • Re: Restricting Access to TCP/IP and DECnet
    ... but not to go from that machine to anywhere else on the network. ... particular images is a good idea, but since these are essentially non- ... executables on their own power. ... But am I paranoid *enough*? ...
    (comp.os.vms)
  • SecurityFocus Microsoft Newsletter #50
    ... Subject: SecurityFocus Microsoft Newsletter #50 ... Specialist in Microsoft's Security Services Partner Program, ... Network Monitoring for Intrusion Detection ... Relevant URL: ...
    (Focus-Microsoft)
  • << SBS News of the week - Sept 26 >>
    ... And he points to the info you need to put the file on the server in the ... at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... by the firewall at risk. ...
    (microsoft.public.backoffice.smallbiz2000)
  • Re: << SBS News of the week - Sept 26 >>
    ... > And he points to the info you need to put the file on the server in the ... > at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... An attacker can exploit these flaws in tandem via specially ...
    (microsoft.public.backoffice.smallbiz2000)
  • << SBS News of the week - Sept 26 >>
    ... And he points to the info you need to put the file on the server in the ... at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... by the firewall at risk. ...
    (microsoft.public.windows.server.sbs)