From: Mathieu CHATEAU (gollum123@free.fr)
Date: Wed Mar 07 2007 - 02:20:19 EST
hello,
I am on the way to use IPSEC & Vmware technology to do this :)
Vlan are best, but need to be done by Mac address. If done by port, they
only need to cross 2 cables, and your vlan are useless !
Regards,
Mathieu CHATEAU
http://lordoftheping.blogspot.com
----- Original Message -----
From: "WALI" <hkhasgiwale@gmail.com>
To: "Dunn, Kevin" <KSDunn@firstcommand.com>; <pen-test@securityfocus.com>
Sent: Tuesday, March 06, 2007 6:52 PM
Subject: RE: Proof of concept - Segregation of developers
> Yes..I am with you kevin ...all the way. The dangers of NOT segregating
> ( through logical access mechanisms) developers from the production are
> immense.
>
> I was wondering, if there exists the need to physically separate these
> guys vlan (disable inter vlan routing etc) of development/test and
> production environment?
>
> My only concern right now is, the threat of allowing developers be able to
> ping/netstat/access production servers from their own workstations in
> development environment, is if they have hard coded a backdoor entry and
> do stuff in production without authorisation.
>
> Is this concern ..genuine?
>
>
> At 01:23 PM 3/5/2007 -0600, Dunn, Kevin wrote:
>>WALI -
>>
>>I would submit that by specifying "malicious intent" in your scenario
>>you are closing off the vast majority of problems that can arise in
>>environments where strict controls between development, testing, and
>>production environments are not applied. You original question is very
>>valid - however I would be interested in responses to a broader question
>>also.
>>
>>In my opinion, the majority of problems occur when things are "fixed" in
>>production. This is a natural impulse, as the overwhelming majority of
>>people in the information technology field are "fix it" people. We do
>>not like to see a problem go on for a minute more than necessary.
>>
>>However, when development teams are allowed access to production for
>>debugging and remediation, the following items can occur in the "heat of
>>battle" without any malicious intent.
>>
>>-- A fix is created and applied - but not applied to the source code
>>system so the problem re-occurs with the next code update.
>>
>>-- Unknown exploit code on the developers machine has access to live
>>production data - potentially HIPPA or trade secret data which can cost
>>significant resources if exposed.
>>
>>-- Ad-hoc logging and tracing functions are created, causing problems
>>later when log files grow in strange, out of the way places and cause a
>>server to crash due to disk or resource exhaustion.
>>
>>-- The same ad-hoc logging and tracing functions create logs which
>>contain sensitive data which are unknown and unmonitored and
>>subsequently not handled in a secure manner.
>>
>>-- Debugging code is activated in production which causes un-explained
>>system slowness.
>>
>>Unfortunately for the proof of concept aspect of your question - it is
>>difficult to prove that these thing will occur. However, you can show
>>through mathematical analysis of an organizations operational and
>>software defect percentages the likelihood of these items occurring.
>>
>>Hope these thoughts help. Best wishes on your research, I hope you are
>>able to share the results with the list.
>>
>>Kevin Dunn
>>STATEMENT OF CONFIDENTIALITY: The information contained in this message or
>>any attachments to this message are intended only for the person(s) or
>>entity to which it is addressed and may contain confidential and/or
>>privileged material as well as being protected from disclosure. Any
>>review, retransmission, dissemination or other use of, or taking of any
>>action in reliance upon, this information by persons or entities other
>>than the intended recipient is strictly prohibited. If you received this
>>in error, please contact the sender immediately and delete the material
>>from any computer.
>
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
>
> http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
> ------------------------------------------------------------------------
>
>
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:39 EDT