On 8 Feb 2002, at 8:06, Herring, Bobby wrote:

> >  (Ideally, a firewall alert message should include the port numbers
> >and IP address(es) involved, allowing us to tell the difference
> >between the two scenarios and potentially, in the latter case,
> >complain to someone's ISP about inappropriate net behaviour....)
> >
> >Dave Gillett
>
> I did block it with Zone Alarm and then after reading this, I changed it
> back to "ask" so I can maybe get the details of what it is asking for. I
> reacted by blocking it and only remember it asking to allow as a server.

  This strongly suggests that you're seeing the second scenario --
script kiddie looking for a vulnerable machine.  Yours *might* not be
running any known-exploitable RPC services, but that's not a risk you
need to take.

> I am in a single computer setup but I am connected by a VPN to my employers
> mainframe system. They are running Computer Associates's Unicenter TNG and
> sdprimer.exe everytime I connect with the VPN so I am sure they are doing
> some snooping. I have been approached about internet activity with a list of
> all the sites I had been to so I know that is going on. This may be part of
> that.

  Do you ever get this alert while connected over the VPN?  Or *only*
when connected to it?

  Most VPN setups like this redirect *ALL* traffic, while connected,
through your employer.  That doesn't sound great, but the alternative
is for them to risk that a VPN-connected system like yours could, if
hacked, become a backdoor into their corporate network, bypassing
their other security measures.  It's an awkward compromise.
  The downside is that while you're connected to the VPN, odds are
that any browsing or other Internet traffic from you will look, to
the rest of the world, like it's coming from the corporate network.
They shouldn't care what sites you visit on your own, but when you
use their network and leave tracks pointing back to them, I can see
why they'd be concerned.  Basically, while you connect to their VPN,
you're bound by the company's policy on Internet access.

  (If you could find, on their list, a site that you never visited
while connected to the VPN, that they had to have recovered from the
History or Temporary Internet Files on your machine, then I'd say
they've overstepped some bounds.
  If the issue with these sites is that you're wasting company
resources, they should just be blocking those sites at their
firewall, and you won't be able to visit them while connected to the
VPN.  (If they're firewall doesn't let them do this, it's a poor fit
for their security policy, and speaking as a network security
specialist, I'd recommend they replace it with something that
supports the policy they've chosen.)  If, on the other hand, your
employer is a governemnt agency or contractor or some such, and the
sites raising concern are featuring illegal or inappropriate
material, then I can sort of understand why they might confront you --
 although they should understand that it's only your use of the VPN
that has made your activity visible to them -- you may have co-
workers who visit the same sites, but do a better job of avoiding
leaving a trail on the work systems....)

Dave Gillett

                         PCSOFT's List Owner's:
                      Bob Wright<[log in to unmask]>
                       Drew Dunn<[log in to unmask]>