• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Rogue Inet Gateways - Tell me why this is a bad idea.

T

TBivo

Junior Member
Hello,

We have a network of about 2500 PC's. We provide Internet connectivity to all of these devices through a firewall of course. However, some people don't like to deal with the firewall or want faster access and have resorted to setting up connections through other providers such as DSL or cable. These rogue connections are then distributed using simple SOHO routers from the likes of Netgear or Linksys.

The problem is that these computers have two NICs so they are dual homed so they are on both our internal enterprise network AND connected to the smaller network fed by the Cable/DSL router for Internet connectivity. The boxes connected in this case range from Win98 to 2K to XP. I already of some specific concerns about how these networks are configured and how the actual boxes are configured but I'd like to hear what all of you have to say about this.

I'd like specifics but realize that you guys don't want to get too detailed to give the freaks out there too many ideas. Perhaps someone can point me in the right direction to do additional research. I'm hoping to find some white papers or perhaps some actual incidents I can read through and present to the powers that be.

(We realize this is a huge security problem but it's a very complicated issue in terms of personnel, sphere of influence, etc. so let's try to keep focused on the tech side of this)

Thanks

 
Cracking networks is a lot like most tasks. The path of least resistance is usually the best way to get done what you want done. Hopefully, the firewall and any other security measures you have in place at the main connection would provide plenty of resistance to any script kiddiots wanting to 0wn your network. So they could look for other ways in. A DSL line perhaps. They could get into that machine and possibly launch attacks from there. It is much easier to defend one point of access instead of 2, 3, 4, etc.

This could also become an administration hazard.

You should have a network usage policy which includes things like this. Working around the setup the Administrators should be an offence worth termination. It should also be enforced. After seeing an employee or two lose their job because of stupid crap like this, most other people will refrain from making the same mistakes 😉

EDIT: Look at sans.org for some information on security. The site is 99.9% "how to secure your system/network/whatever" instead of the others I read which are 60% "how to secure" and 40% "how to break in." 😉
 
n0cmonkey's got it nailed. All you have to do is look back about a year to the ILOVEYOU and CODERED crap to see how much danger having even one exposed machine on the LAN.

Just because someone is clever enough to bypass the security of the LAN doesn't mean they're necessarily vigilant enough to protect their systems, or keep the security measures up-to-date....scan back through the archives here and look at the number of folks that got bombed with ILU and CR....and many of the ones that got hit were "paying attention" and got hit anyway.

All you have to do is figure out the cost of what it would take to COMPLETELY RELOAD (include formatting) your 2500+ PCs while those 2500+ users sit around spinning on their thumb waiting to use their machines.

Even at minimum wage, you're talking about ~ TEN THOUSAND+ dollars AN HOUR of wasted time, With a really efficient crew and a clever implementation of Ghost, you're talking a week or more to get all the machines back up. Add to that any business lost while everyone in sales or order-taking can't get the orders in.

Then, add to that all of the lost data and/or the additional time to get (semi) current backed-up data back to the right machines.

Bypassing security usually is (and should be) a hanging offense (at best) and, at least, make the offending (L)user eligible for being drawn-and-quartered.

If there's no written policy (hard to believe for a network of that size), write one - QUICK - and implement it. Give fair warning, then start shooting... no reasonable judge or jury would convict you.

This is some serious sh!t. Get a handle on it before something ugly happens.

IMHO, FWIW

Scott
 


<< If there's no written policy (hard to believe for a network of that size), write one - QUICK - and implement it. Give fair warning, then start shooting... no reasonable judge or jury would convict you. >>



Best thing to do is get a policy written and bring it to the big boss. Have him *SIGN* it. Then the policy should be VERY enforcable because of the boss's endorsement. Thats a very important part of things right there (or so Im told, I havent ever had to do this, but it makes sense...).
 
Bottom line: You can't have security if anyone can make any change to the network at any time. PERIOD. This is a PURE and simple problem with management or the corporate leadership or the lack of responsible and intelligent leadership in the IT department (if not, then the corporate leadership are idiotic, and I can't believe a company of 2500+ employees doesn't know about making and preserving profits unless they are an internet startup.) I've have to agree with the two previous posts:

<< If there's no written policy (hard to believe for a network of that size), write one - QUICK - and
implement it. Give fair warning, then start shooting... no reasonable judge or jury would convict you.

Best thing to do is get a policy written and bring it to the big boss. Have him *SIGN* it. Then the policy should be VERY enforceable because of the boss's endorsement. That's a very important part of things right there (or so Im told, I havent ever had to do this, but it makes sense...). >>

Just gotta agree. The largest private company I've worked for now has about 2000 employees, I've worked for a local county IT office, and an even larger public company (100K+ employees) and also served four years as a member of the US military. I've had dealings with all kinds of businesses, management and personnel.

Still, how on earth could the management at this company not have a security policy? Or don't they understand the potential problems with a lack of an implemented and enforced IT security policy even as an extension of their current policies?

Politics as they are, the owner or CEO or board or whatever should be presented with thorough documentation detailing a plan, the ways it could be implemented most securely with the least disruption and how all departments should coordinate future changes or requests and procurements and all security issues concerning data and network access. The above decision makers should also be provided sufficient documentation showing the real problems caused by lack of security and the statistics real and estimated of the cost of intrusion and/or loss/compromise/damage.

The best, most technically competent and most respected IT personnel should present the information in a special meeting with the appropriate corporate management personnel to discuss these significant security concerns and security holes in the network. Major corporate changes must be sold to those who are able to make new policies affecting a whole business. The decision maker must have absolute confidence in what the IT management/staff say and present and must summarily agree with the primary security concerns and conclusions of the IT department.

Lastly, ensure the plan is implemented in such a way so that the least amount of disruption occurs to services. Upgrades to existing bandwidth and services (like firewall/proxies) should be a part of the plan to correct previous complaints of 'slow' internet access and show that IT is working to ensure worker productivity and responsive to their needs. (New funding may be required for this and should be part of the plan that is sold to corporate management.) This is how to implement change that will preserve jobs and create respect for the IT department.

VVVVVVVVVVV

Your answer:

If politics are already too bad and IT is already knee deep and is not taken seriously, monitor the network (sniffers and other network monitors) for unauthorized traffic and security violations and maintain a database of relevant information.
First change if you can do it: roll-out userpolicies that prevent users from changing their Network and DIAL-UP Connections in the future or that prevent any user level changes that affect networking. If politics are too bad, then its not likely you can do this.
Second: try to isolate the nodes and network segments with external routers to smaller networks or VLANs and disable their ability to access certain information, except via encrypted VPN. (This may force them to use one connection or the other.)
Last, build a database of security problems and document, document everything from SAFE and Acceptable PRACTICES as detailed by Microsoft and other reputable agencies or businesses to 'permitted' changes made by users on the network.

Complaints from workers can make IT look bad and if the CEO already has a poor perspective about the IT agenda and methodologies, it can take years to counter this incorrect perspective if the same personnel are working there. Exodus and turnover of competent IT personnel specifying the same problems and solutions will eventually get upper management attention if other loss doesn't get there first. Ignoring the problem is just as bad because when problems occur, then finger pointing often results and then . . . Remember, any changes must still be 'sold' to the upper management and workers must be informed of any changes that will affect their current or 'perceived' environment (maybe they think 'network access rights') and helped with future network access regardless of the impropriety of their setup.
 
yeah..sock it to them..damn ingrates....you get no repect I tells ya...


Seriously, tell management and do it inthe most most porfessional yet effective way. Never attack the content of the characters that are at fault...that will undermine your argument. Just point out that it is YOUR job to provide the company with the supreme QoS that THEY DESERVE. Even so, point out that under the Statitory regulations, the network, includin all its vital info is alaviable to any hacker with time on their hands. Inform them that even at the Management level, every supposed secure file is vulnerable. Just make sure that regardless of the culprit you make the security ISSUEs your main argument

Good luck!
 
A fun comment to make is that the company can be responsible for any damage done originating from your network.
 
When you do finally get policy in place with the backing necessary to enforce it....IT'S HAMMER TIME!

Make sure the IT group has enough sledgehammers to go around, so everybody in IT can get a whack at those SOHO routers 😀
 


<< Bottom line: You can't have security if anyone can make any change to the network at any time. PERIOD. >>

This should be etched on the forehead of every IT person...it is that important.
The reason I am at the company where I currently work is that they actually GET this important truth.
 
Lots of good answers! Here's my two cents:


1: Security - Discussed ad nauseum in previous posts. Allow 'em to go out to the Internet on their own and they ARE going to do something dumb. Viruses, trojans, etc. Consider this a given.

2: Cost - The cost of installing and maintaining those DSL and dial-up lines is usually far more than most people think. Money would usually be better spent on a central service, like upgrading your main Internet connection to meet their needs.

3: Liability - Unless it's under central IT control, there is no restriction whatsoever on what your users do. They could be sending confidential corporate data, downloading unauthorized apps, or downloading porn. It's a company-owned PC on a company-paid for connection. Your company is therefore liable for whatever they do. Porn is a big one - If anyone seems them looking at it and objects to management there can be big trouble.

4: Accountability - Their outbound access can't be tracked centrally, which is often required in some industries for liability issues.

5: Supportability - When it goes down, who do they call? How much does it impact their ability to do their job? Have they changed their machine so much that it's not fully functional to use on the main outbound connection? It's usually "John the guy from accounting who ordered the DSL line" who supports it - What happens when he's sick or gets fired for doing something dumb?

6: Main network stability - How long do you think it's going to be before someone accidentally plugs this thing into the main corporate network on accident and it breaks all kind of other services, like DHCP? Been there, done that.

I've been through this situation once or twice. Yes, they are doing something dumb. But if they really have to do it in order to do their jobs, then obviously there's some need that the main connection isn't serving. Talk to them, ask them what you could do to make it right and to support their needs through the corporate network. Sometimes a bit of give-and-take is what's required in this kind of circumstance.

If all else fails.. Go start unplugging and replugging the DSL line in every few hours.. Pour a little water in the power supply of the modem.. Short out the power cord.. If the thing fails a few times each day, they might appreciate the main connection some more! (I'm only halfway kidding - Nothing like a bit of fun sabatoge to make your day!)

- G
 
Many thanks to all of you for the replies! After further discussion with the parties involved, it looks like the political obstacles here may indeed be too difficult to overcome. The connection was temporarily removed but I doubt it will stay that way....

I have a feeling we're going to end up isolating this segment and firewalling it off from the rest of our organization. They think their Linksys is a good firewall... I guess we could dump our firewall and the huge money we've spent on it and throw up a Linksys of our own eh?

They also think that "since none of their computers are 'bridging' between the two networks" that our security concerns are unfounded. They're thinking in terms of routing... I guess they don't understand that once any dual-homed box is compromised and someone gains control of it then some hacker would have all he needed. Oh yeah, and just to clarify...their segment is token-ring so all PC's have TR cards installed in them...but all new PC's we order have integrated ethernet NICs as well.

They think this is solely about control. I guess they are right in that it is about control but it's not because we're powertrippers, it's because all of the other departments become vulnerable and we're responsible for their data as well. What happens when Dept. X has data exposed because of this vulnerability...who's to blame?

Have you guys ever seen this happen before? Perhaps an article or something I could print out and blow up supersized style for the powers that be? We understand what's right and what's wrong here but we've yet to convince them.

There has been previous history between the IT dept and this dept in question in years passed I guess (I'm a newbie so it's news to me) re: quality and speed of work but I think that even if we offered them the moon and had a perfect solution for them in 3 days (doable)...that they'd still not want to go through our firewall. Political glitches sometimes can't be patched I guess.
 
looking for a new job is a good idea... also start documenting everything, and I mean EVERYTHING screwed up with security. Begin giving written notices to your boss and others (if applicable) stating your position and possible implications of the problem(s). Everytime ANYTHING changes, resubmit another letter to them (a new one, not the same one). Purposely make it look as if your covering your ass for legal reasons and maybe they'll start to get a hint, if not at least your covered.

and if most of your job turns out to be politics like this, then get a new one...
 


<< After further discussion with the parties involved, it looks like the political obstacles here may indeed be too difficult to overcome. >>

I've been in the same situation, both in public and private sector. I like to call it "The Responsibility Without Authority Anomaly" (for all you Star Trek: TNG fans tuning in).

Basically, the paradox is this:

1.) You are responsible for ANYTHING and EVERYTHING that can and does go wrong with the network/systems/staplers (doesn't matter what it is really) that have been entrusted to you.

2.) You, however, do not have any authority to minimize the aforementioned ANYTHING and EVERYTHING that can and does go wrong with aforementioned network/systems/staplers.

It is important to realize that such authority does not have to be explicitly granted, either to a particular individual in IT or the IT group as a whole. It simply means that someone at a high enough level in the organization (at least an executive VP) needs to have the necessary clout, and be willing to use it to fight for IT's respect when necessary.

Such a paradox is made worse by the fact that in an organization of any size, ANYONE and EVERYONE else will either explicitly or intuitively know about the paradox, and exploit it in some way, shape, or form every chance they get.

For those of you who just want it laid out cut-and-dried, here it is:
This type of situation happens when the IT function in an organization is not given ANY respect, usually because IT is not seen as contributing to the well-being of the company, for whatever reason. Not a pleasant situation to be in when you work in IT. Usually the only way to fix it is to leave and get a job with a company that does respect the IT function.
 


<< Many thanks to all of you for the replies! After further discussion with the parties involved, it looks like the political obstacles here may indeed be too difficult to overcome. The connection was temporarily removed but I doubt it will stay that way. . . .

I have a feeling we're going to end up isolating this segment and firewalling it off from the rest of our organization. They think their Linksys is a good firewall...
. . .
Have you guys ever seen this happen before? Perhaps an article or something I could print out and blow up supersized style for the powers that be? We understand what's right and what's wrong here but we've yet to convince them. . . . >>

Political obstacles can be difficult, but are not impossible. If as you stated, IT was able to disconnect the connection (albeit heated or under difficult circumstances), this is a victory for IT in the right direction. Be that as it may, that does not mean that intrusion is impossible through current professional configurations, but just much more difficult. Security practices include many other things, like personnel not revealing information like names, phone numbers, passwords over the phone/network etc, not just the physical infrastructure integrity and security. I would still force those with external connections to connect to internal resources through VPN access. This would be an inconvenience to those personnel on the rogue networks, but tell them this is an extra security measure because of their local security problem. Also, implement group policies which prevent these users from changing their Network settings. If any of these users have Admin privleges on their own PC's (I can't imagine this), downgrade them to powerusers and make this modification asap. Notify them this is part of security concerns and new security implementations to help prevent damage to company resources.

I still can't imagine upper management at this company doesn't understand these security issues since the company is seemingly successful. This issue should go up the chain of command to the highest levels with proper identification and appropriate documentation of the security concerns, holes and violations of new policy. (Give the other department a fixed amount of time to comply with the new IT policy - like 5 days.)

Here are some examples of information from reputable sources:
http://www.cert.org/tech_tips/
http://www.cert.org/nav/index_red.html
http://www.cert.org/nav/index_purple.html
http://nsa2.www.conxion.com/
http://www.nipc.gov/cybernotes/cybernotes.htm
http://www.secretservice.gov/net_intrusion.shtml
http://www.cissp.com/resources/resources.html
http://www.cybercrime.gov/
http://www.ciao.gov/
http://www.microsoft.com/security/
http://www.sun.com/security/
http://www-3.ibm.com/security/index.shtml
http://www.itpapers.com/supercategory/security.html
http://www.sans.org/newlook/resources/policies/policies.htm
 
Just to be devil's advocate....

We have a similar situation here where I work. One "department" has constantly put in for part of thier budget to be allocated to thier own T1. And then they'd dual home thier machiens. At first you'd think "those jerkbags are gonna compromise everything someone better put them in thier place". But here's the problem. Our network blows. I'm not talking, poor, bad, pretty bad, oh my gosh bad, i'm talking "Sweet jesus I wish I could just have dialup already". Now what is Networking's take on this? I couldn't possibly type it. Its so illogical and meandering that it cannot be argued. They simply make some random excuses/declarations/accusations change the topic, go off on a tangent, and start making your life hell.

So here's the real question.... why are your end users trying to get the hell away?

bart
 
One word of advice.. If you can't make them play nice, CYA. Make sure you get an e-mail sent somewhere to someone in a position of authority which simply explains the issues, the risks and the impact of a security breach from separate connection. It's not your idea and you don't like it, but that's how someone said it's going to be.

Oh, and the idea of the firewall between them and your network is nice, but not practical. By the time you open up holes through the firewall for them to do their job, you might as well not have one at all.

One last question.. Is it practical to fix they problem they are complaining about for everyone? A faster circuit, a newer firewall, a caching proxy server to increase performance? It might not be cheap, but this might be the boost you need to get the budget to do it right. 2,500 users isn't trivial, but, depending on the requirement, you should be able to spend around ~$25K for some hardware to make things faster and maybe another grand or so a month for circuit costs. Cheap? No. Cheaper than a security breach or a major DOS attack? Yes.

Let us know if you want some reasonably-priced performance enhancement tips.. Been there, done that, got the free vendor t-shirt.

- G
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top