Firewalls: Re: TCP-IP suite and Firewalls

Firewalls
(May 1994)

Indexed By Thread: [Previous] [Next]

Subject:	Re: TCP-IP suite and Firewalls
From:	John Curran <jcurran @ nic . near . net>
Date:	Mon, 30 May 1994 12:43:31 -0400
To:	Jean-Marc LAFAYE <jle @ ost . fr>
Cc:	Firewalls @ greatcircle . com
In-reply-to:	Your message of Mon, 30 May 1994 17:26:51. <9405301526 . AA02372 @ ost . fr>

--------
] From: Jean-Marc LAFAYE <jle @
 ost .
 fr>
] Subject: TCP-IP suite and Firewalls
] Date: Mon, 30 May 1994 17:26:51 --100
] 
] Hi All,
] 
] I'm new to this list and I'm interested about firewalls and security issues
] because our company -recently attached to the internet- wishes to offer 
] internet's services to many people, without damages for our integrity.
] So, I have to plan the interconnection between a registered network -used to 
] access to the internet- and an unregistered one -used for internal purposes, 
] such as text processing or spreadsheet-.

By "unregistered one", do you mean an IP network number which is not
registered to your organization?  

Using an unregistered IP network numbers does nothing to improve your 
security (i.e. a registered network can be made just as secure as an
unregistered one), and creates the very real possibility of future 
address conflicts when an important external customer/supplier turns
out to be assigned the same network....

] Reading various articles, it seems that firewalls and TIS-toolkit are 
] designed for full-IP networks. Is it right ?

If "full IP" networks means "IP protocol running on boths sides", I'd 
say that that's generally correct about the commecial marketplace.

] If internal network is not based on TCP/IP suite, does an appropriate 
] gateway insure a good protection ?

The fact that the internal network is based on something other than IP
does not significantly improve its security.  Somewhere, there is a host
which is connected to both the internal network and IP; once that host falls,
it's generally trivial to move about internally.  (unless the internal
network protocol is absolutely devoid of functionality... :-)

] At least, what type of data could I leave on the machine directly 
] attached to internet ? Is there any risk with NIS or DNS data bases ?

I would not recommend NIS unless you know someone who believes in secure
RPC and has lots of free time.  DNS isn't a problem as long as you start
with the assumption that such DNS data is visible to the public.

If you're just getting started, you might want to bring in one of the many
Internet security consultants to help with your initial configuration.

/John

References:

TCP-IP suite and Firewalls
From: jle @ ost . fr (Jean-Marc LAFAYE)

Indexed By Date	Previous:	TCP-IP suite and Firewalls From: jle @ ost . fr (Jean-Marc LAFAYE)
Indexed By Date	Next:	pointer to info From: Ray Hunter ECD <RHUNTER%ESOC . BITNET @ vm . gmd . de>
Indexed By Thread	Previous:	TCP-IP suite and Firewalls From: jle @ ost . fr (Jean-Marc LAFAYE)
Indexed By Thread	Next:	pointer to info From: Ray Hunter ECD <RHUNTER%ESOC . BITNET @ vm . gmd . de>