In article , wrote: :I have a group of folks I'm working with that have a small private :LAN(about 40 or so IPs). They have a NAT firewall but recently they :found that they needed to provide external access to one of the :machines for remote maintenance. Not being networking types, the way :they accomplished this was to bypass the router/firewall and connect :the machine directly from another bridged router to an existing and :already in use hub on the LAN!
As usual, the risks depend on the OS involved and on the efforts that have been made to secure the host. A well-set-up host could end up being more secure than a poorly set up firewall (but firewalls usually make it -easier- to secure devices reasonably well.)
:I've been trying to explain to them what a tremendously bad idea this :is but I'm not really getting through to them because they don't :understand the language and ramifications.
:The guilty parties are primarily financial folks and I need to be able
One tactic that -might- work is to inform them that if they fail to protect the host better, and money were to be stolen as a result of it, that they will effectively not be able to recover the money or prosecute, even if they somehow know exactly who took it.
The problem is that in order to prosecute such a case, even with good evidence, they would be forced to reveal in court what security measures were in place to protect the equipment, as the defence will claim that it was some -other- party responsible. With weak (non-existant) security defences and no logs because the firewall is bypassed, the security arrangements are not something they are going to want to admit to in court, in the public record, where serious criminal elements *will* read the evidence and proceed to abuse the insecurity.
The anecdotal evidence is that financial institutions often decline to prosecute in order to avoid public revelations of weak security practices. Sometimes they don't even dare fire caught internal employees, lest the employee sue for unfair termination, which would trigger airing the dirty laundry in public.
In terms of specific cases: there was one a few years ago with a different but related slant. A respected constable in England noticed a bit of money missing from his account, and reported it to the financial institution. The bank said it couldn't happen and that the constable must have taken the money out (of an ATM) himself or allowed someone to know his PIN. When the constable said he was sure that didn't happen, the financial institution charged the constable with attempting to defraud the institution, on the ground that the scenario the constable presented "was impossible with our security" and therefore the constable was lying in order to obtain the [not very large] amount of money. The constable was *convicted* on the bank's say-so that the security was impenetrible.
Fortunately, word of what happened reached the public and a number of prominent computer security people went to the aid of the constable, and were well prepared for the appeal. When the security experts demanded that the financial institution describe for the court the security measures that were in place (whereas in the first trial they just -asserted- that they had great security in place), the financial institution choose to withdraw the charges rather than have to describe the security measures for the court. The security experts already had a good idea of the kinds of measures that had to be in place, and were prepared to refute the claims that the measures were impossible to break, but the financial institution prefered not even be questioned with "Isn't it true" type questions, let alone have to say explicitly what the security was. [The constable was thus declared innocent, but the incident effectively damaged his career, not to mention other parts of his life.]
Since that time, there have been quite a number of cases in which sophisticated organized rings have effectively broken the security of ATM machines (a different matter than breaking the security of the EFT transactions!)... but banks still try to claim that their security is unbreakable. And in the case of the folks you are working with, the financial institution would be shredded in court if anything came up.
These days you can get $US100 VPN devices that do a good enough job for VPNs that aren't in constant use. It isn't even worth asking the company lawyer for legal opinions: that'd cost more than the VPN device!