At 10:14 AM 11/29/95 -0800, Eric Vanuska wrote:
>Last week I posted a query about TIS. Since I did not receive any
>responses, I'm going to re-state my question.
>We want to protect our DMZ from our internal user community as well
>as provide a "third layer of protection" from the users on the internet.
> Internet -- Filter ---DMZ w/ TIS proxy -- Filter --- Internal Net
> Router #1 server Router #2
>The question boils down to this, does adding a second filtering router
>provide any significant protection from crackers on the internet?
First and formost, it will prevent the cr/hacker from being able to monitor
traffic on the internal net if/when the proxy server is cracked. Keep in
mind though that any protection you get is what you have programmed your
>Because we are using TIS, the filters from our DMZ to our internal net
>are very, very wide. In my eyes, this reduces the effectiveness of the
>second filtering router to practically nothing. Although the second
>router does protect our DMZ from our internal users quite nicely.
>I am assuming that an internet based cr/hacker is somehow able to gain
>access to our TIS proxy server. (Yes I know this a big assumption,
>but I am doing my best to be paranoid :)) Once that happens, allowing
>the proxy server to initiate a TCP connection (w/ port > 1023) to any
>one of our TIS clients is a bad thing. If you want to see which ports
>I've opened up, please see original email below.
>In response, my crime-fighting-partner says, "...you're full of crap...".
>Specifically he says:
> 1. Since, we already have a filtering router and proxy servers,
> how can a cr/hacker gain access to our proxy server?
Tell your crime-fighting-partner to get his head out of the sand. Are you
running syslog on the proxy server? Have you made all latest patches to
TIS, the OS, etc...?
> 2. So what if the proxy server can create a TCP connetion to
> our clients. Unless the clients have an application that is listening
> to these high number ports, what's the harm?
>So what do all think? Am I being overly paranoid? Is it just about
On this list!? Nah. ;->
>impossible that a cr/hacker can gain access to our proxy server, by
>virute of the fact that it is protected by a filtering router, etc?
>Is the second filtering router just protecting our DMZ from our
>internal user community and nothing else? Is all this just window
Best of luck to you ericv.
S. Lane Pierce