The project I am working on has decided that firewalls are a
pretty neat idea so they came up with their own approach as follows.
The system is client/server based with most of the GUI stuff written
in VB on PC windows-based workstations. The workstations are scattered
all over the country with several in each of some 300 offices. The server
is UNIX based. They all talk over a private but untrusted TCP/IP based
network.
The plan is to place firewall boxes between each of the office LANs
and the grubby private network. The server has several similar boxes
to deal with the throughput.
Now ... the plan is to have these firewall-style boxes perform data
compression and encryption of the data passing through them, that way
miscreants will not be able to eavesdrop or spoof legitimate users.
The initial solution was to have a (SCO) Unix box have two protocol
stacks and a trivial application that performed the compression
and encryption. Each legitimate user on the lan would establish a
connection to one port on their local firewall and their messages would
emerge unharmed from one of the ports on one of the several firewalls
near the host.
Think of the network of firewall systems acting as a giant hard-wired
patch panel; a session goes in here and
... later ...
comes out over here.
The problem that I THINK we have is that, we want to establish,
NFS sessions end-to-end using RPC calls. I don't know if PC/NFS is capable
of being told that it has to establish a session with a particular port
on a host or whether we have to let it run a deamon and have that create
ports dynamically. What we REALLY want is a one-to-one relationship
between the PC workstation and NFS session on the host.
The other requirement is to authenticate that the workstation is
legitimate. I suggested that we rely on the hardware ethernet address
but I have a nagging suspicion that this can be spoofed.
Any comments. (head is seen vanishing behind parapet)
|
|
