Archived from groups: comp.security.firewalls (More info?)
I have been struggling with how to protect company laptops while not
in the office, yet allow access to resources when here. The biggest
problem is the whole "file sharing" boondoggle.
Here's the situation:
When in the office, I at least want to be able to allow my users
to access the company file and print servers (which run Samba). They
do not need to share files the other way (the laptop need not be
a server) as they can always put files they want to share on
a server.
When on the road, at home, etc. I definitely do not want to
allow the laptop to act as a server. We already had one worm
attack because a user put his laptop on his Comcast-driven home network
"for just a few minutes so I could print something" and then
brought it back into work the next day infected.
I have been playing around with Symantic Client Security.
This is the product that gets managed as part of the Corporate
Edition of their anti-virus product. We like it because it can
be installed in such a way as to disallow removal, disallow
"disable", etc., but we find we need to allow the users to
disable it when in the office in order to access
resources. They then disable too often.
Does any know how to write a "proper" set of rules that will
allow the laptop to act as a client, but not as a server on
the kitchen-sink services on ports 137-139 and 445? I can't
seem to base it just on direction (in/out), protocol (tcp/udp),
and port (137-139,445) which seems to be all I have to work
with in the Symantic Firewall.
Is there an alternative? We also have Checkpoint's SecureClient
available, but the user's quickly figured out how to disable that.
Besides, correct me if I am wrong: it only works when connected
via the VPN.
Also, is there any way to make these products "context sensitive"?
I.E.: If on the corporate network, disable firewall, otherwise
enable. BTW: IP addresses are not a good test of "on the network"
as we use a private 172.16-31.*.* network internally and anyone
else could do the same.
--
Gary Algier, WB2FWZ gaa at ulticom.com +1 856 787 2758
Ulticom Inc., 1020 Briggs Rd, Mt. Laurel, NJ 08054 Fax:+1 856 866 2033
Nielsen's First Law of Computer Manuals:
People don't read documentation voluntarily.
I have been struggling with how to protect company laptops while not
in the office, yet allow access to resources when here. The biggest
problem is the whole "file sharing" boondoggle.
Here's the situation:
When in the office, I at least want to be able to allow my users
to access the company file and print servers (which run Samba). They
do not need to share files the other way (the laptop need not be
a server) as they can always put files they want to share on
a server.
When on the road, at home, etc. I definitely do not want to
allow the laptop to act as a server. We already had one worm
attack because a user put his laptop on his Comcast-driven home network
"for just a few minutes so I could print something" and then
brought it back into work the next day infected.
I have been playing around with Symantic Client Security.
This is the product that gets managed as part of the Corporate
Edition of their anti-virus product. We like it because it can
be installed in such a way as to disallow removal, disallow
"disable", etc., but we find we need to allow the users to
disable it when in the office in order to access
resources. They then disable too often.
Does any know how to write a "proper" set of rules that will
allow the laptop to act as a client, but not as a server on
the kitchen-sink services on ports 137-139 and 445? I can't
seem to base it just on direction (in/out), protocol (tcp/udp),
and port (137-139,445) which seems to be all I have to work
with in the Symantic Firewall.
Is there an alternative? We also have Checkpoint's SecureClient
available, but the user's quickly figured out how to disable that.
Besides, correct me if I am wrong: it only works when connected
via the VPN.
Also, is there any way to make these products "context sensitive"?
I.E.: If on the corporate network, disable firewall, otherwise
enable. BTW: IP addresses are not a good test of "on the network"
as we use a private 172.16-31.*.* network internally and anyone
else could do the same.
--
Gary Algier, WB2FWZ gaa at ulticom.com +1 856 787 2758
Ulticom Inc., 1020 Briggs Rd, Mt. Laurel, NJ 08054 Fax:+1 856 866 2033
Nielsen's First Law of Computer Manuals:
People don't read documentation voluntarily.
Facebook
Twitter
Instagram