At 09:14 1/31/95, Anh-Huy (Steve) T. Ton wrote:
>I have a few questions on the following firewall config:
>
>Internet -- Router1 -- Gateway -- Router2 -- Internal Network
> w/Firewall
> Software
> (possibly FW-1)
>
> (1) How can I limit everyone in the Internal Network from
> accessing the Internet (i.e. permit some & deny others)?
> Does FW-1 have ACL's for user id's?
Almost all current filtering products (and FW-1 is a filtering product) work
by IP address, not user ID. You could restrict access by user if you could
link particular users to particular IP addresses (the machines on their desks,
for instance), but that's about it. Information about userid just isn't in the
protocols.
With proxy-based systems, you have more options for user-level control. You
can force users to identify and authenticate themselves to the proxy server
before it will honor their requests. See the TIS Firewalls Toolkit stuff
(available for anonymous FTP from FTP.TIS.COM) for examples of this approach.
> (2) If someone from my Internal Network gets onto the Internet
> using ftp, telnet, Mosaic, etc., is my Internal Network
> number exposed in the source address of the IP header?
Unless you're using some sort of proxy mechanism, yes.
> Is there a way to hide this (my IP network addresses)?
Use some sort of proxy mechanism.
-Brent
--
== For info about the Internet Security Firewalls Tutorial and a schedule ==
== of upcoming dates, please send email to Tutorial-Info @
GreatCircle .
COM ==
==============================================================================
== Brent Chapman Great Circle Associates ==
== Brent @
GreatCircle .
COM 1057 West Dana Street ==
== +1 415 962 0841 Mountain View, CA 94041 ==
|
|
