In article <9504190422 .
AA27283 @
clipper .
cb .
att .
com> you write:
> If some ]<raker ]D00D successfully gets into
>my home machine, he's got a prompt on a machine behind my company's firewall.
Or, if some cracker figures out which number my home machine is calling,
he is now at a public dial-in point behind the firewall.
In my security model, there are two firewalls, with a lobby area in between.
Dial-in points - like public servers - go in the lobby area.
INTERNET
ACCESS PROVIDER
- access link -
LOCAL ACCESS ROUTER with packet filter
LOBBY AREA includes public access servers, pc DNS and mail router
ISOLATION ROUTER
Inside network
In my environment, we don't feel that the benefits of a proxy gateway
on the inside firewall is worth the trouble; we can live with a packet
filtering router. Thus, it is no trouble to punch a hole in the inner
"firewall" for the work-at-home dial-ins. I would worry a lot about
putting the access point for those dial-ins inside the inner firewall.
--
/ Lars Poulsen Internet E-mail: lars @
RNS .
COM
Rockwell Network Systems Phone: +1-805-562-3158
7402 Hollister Avenue Telefax: +1-805-968-8256
Santa Barbara, CA 93105 Internets: designed and built while you wait
Follow-Ups:
References:
|
|
