> From: firewalls-owner[SMTP:firewalls-owner @
> Sent: 30 January 1996 10:56
> To: firewalls
> Subject: MS-Windows PC as an email gateway
> My company is looking at a quick way of getting on the Internet without
> investing in a lot of hardware and engineering effort. One idea, which
> has management interested, is to work with a local ISP to get a dedicated
> line, either ISDN or 28.8, to tie a PC running MS-Windows or MS-Windows
> NT to the Internet.
> This PC would be an FTP server and WWW server. This PC would only be
> connected to our office network _after_ it had been disconnected from the
> ISP connection. Thus, no need for a fire wall. (So we can transfer files
> back and forth.)
How do you intend to prevent the PC from being connected to the internet
and to the internal net at the same time? Physical disconnection? (How
do you prevent someone from physically connecting to both nets at once? the
two?) Single card? How are you going to prevent interface
messups and too much inconvenience from reconfiguring net links?
Also if the PC is sometimes connected to the inside and sometimes connected
to the outside I assume that information on both nets are on the machine at
all times. Can time delay attacks be set up on the PC? (I don't know about
DOS programming enough to really know if you can script or otherwise run
that.) If you are going through the trouble of switching nets
that are up on the PC and going over to the PC for surfing you
might as well use sneaker net (floppies/tape/cd tranferring of
information) and never connect the PC to the internal net.
> As a short term solution is this seems pretty good. The only problem is
> that we also want e-mail. Today we use UUCP every couple of hours, but
> there is a big push to have immediate access to incoming and immediate
> outbound email, but on the internal network.
That sounds like you will need the net connected on both sides at the same
time. The "I don't need a firewall because it is only connected on one
side at a time" goes away.
> Is it possible to use MS-Windows or NT as an email-only gateway? I am
> assuming we would need a second lan card or a router?
> What security issues should I look out for? I assume that not allowing
> the PC to be a telnet server is a start and only exposing the internal
> email server to the PC is also a good idea.
How do you get the mail from the email server to the
internal net? Once you have a link from your internet to your internal
net the door is open. If you can't get the firewall right away then you
should wait on the email, assuming the data on the internal net is something
you need to protect. If the data is less valuable (to others) then the
need to protect goes down. You have to weight the risks.