help with security issue

[bwanaaa]

My building provides me a static ip for my department. The building has a T1 line that goes to a checkpoint firewall and then to a big router. We get one of the 300 ips they provide. My department shares that ip behind a nat router. We used to be able to connect to our lan from the outside. We especially enjoyed the facility of connecting to our PIM and doing appointments and phone work without actually being there. I had forwarded the port that our application used to the ip address of our PIM server. But NOW, our IT persons are shutting off all inbound/outbound traffic except email and web browsing. Our proprietary application that communicated through its own port is now locked out. Concerns over worms, viruses (has anyone's computer gotten a cancer yet?) is forcing them to take a hard stance. In light of all the press about 'net problems, I can understand their position.

So, is there a solution for me? Is there an application that will change my PIM traffic into 'web traffic'? Please forgive the insane sounding question-I dont know all the jargon. For example can I run an application that listens to port 9099 on my computer and repackages that info as packets on port 80 so they pass through our checkpoint? Of course I would need to run this software on every client as well as the server.

 

[cleverhandle]

I'm sure there are workarounds, though if you have only one public address that needs to serve web pages as well as your app, things would get tricky. But that would pretty clearly be contrary to the policy the IT people have set up. I doubt the convenience is worth your job. I would see if your PIM, or a similar replacement, has a bonafide web interface that would not violate policy.

 

[ScottMac]

You should be able to negotiate with IT/IS to get those ports opened. They may require that you run certain "Approved" programs on the remote machines, but if they're reasonable people, y'all should be able to work it out.

If you can't, then don't do any "workarounds;" in many cases, that's grounds for dismissal (without review). If they decide that you're jepordizing the rest of the network for your convienience, you're toast.

Your other options would be to run a Quarantine LAN .... you are your own network with no connection to the Main Network.

You may be able to offer some budget for a departmental VLAN box ...

All is not necessarily lost, you just need to be willing to patiently negotiate.

They have to protect the network, that's part of their job. Cut 'em some slack.

Good Luck

Scott

 

[bwanaaa]

 

[bwanaaa]

Thank you both for your input. But it seems it's not to be. They are quite firm about the the NO INBOUND traffic rule except http(80) and email(i forget the port). I cant blame them it's their job. But I perceive this to be an issue of monitoring the ports and am willing to comply.

Why did both of you perceive this to be an issue of circumventing their rules? I am just trying to comply with them and get my PIM to run on port 80. I dont run a webserver at my static ip or ftp server. Nothing but my PIM. VPN is out of the question (it would not get through the firewall.

Right now I am loking at alternatives-periodically backing up my PIM to a server offsite.
I have a mac and interestingly, I can get iDISK to mount on it. Dont ask me why. I could never get my network neighborhood to show me my home LAN.