What are "all NT wholes"? I am trying to defend using UNIX over NT
as our firewall and since I know little on NT I can't make a strong case.
(except the obvious, NT hasn't been subject to being outside a protected
network as long as UNIX so its impossible to know its vulnerabilities until
its open to hackers). Thanks.
______________________________ Reply Separator _________________________________
Subject: RE: Windows/NT as a Comm. Server
Author: Russ <Russ .
Cooper @
RC .
Toronto .
on .
ca> at Internet
Date: 5/31/96 5:49 PM
%
% Does anybody uses Windows/NT (RAS) as a front-end communication server
for remote access?
Yeh, some crazy people do.
Actually, lots of crazy people do...;-]
% (instead of traditional communication servers like Shiva or Livingston)
but why? Each RAS connection uses 2MHz of CPU (continously, so a loaded
server will effect comms speed) and 1MB of ram.....
Well, this is not exactly true. If you use a ChiliPort, or Digiboard, comm
port, there is no directly load on the CPU or RAM for handling the users.
With these types of boards, NT becomes nothing more than a router.
% THEY claim that it is so secure that we do not even need a firewall...
% What about that?
aahahaha
If they can make a network connection to your NT box, then they can exploit
all NT's wholes remotely......
Dont see why making it a RAS server makes it more secure......
I have to agree here, RAS doesn't make NT more secure by any means. In
fact, it could be argued that RAS makes NT a little less secure because
when it is implemented NT automatically enables IP Forwarding between all
its adapters. If your NT box is multi-homed, and forwarding had not
previously been enabled, it would be after RAS was installed. That said,
RAS can be set to follow the same rules for user authentication as clients
on the LAN have to follow. Its possible to establish encrypted sessions
between RAS users who are running NT.
As for being able to exploit all of NT's holes, well, if you can establish
a network connection with an NT box, whether you are local or remote, there
are things that can be exploited. But you have to establish that network
connection first. I wouldn't be more afraid of someone exploiting my NT box
remote than someone exploiting it locally. Of course, providing dial-up
access to any network is a risk unto itself. Your NT RAS server can be set
up as part of an untrusted domain, forcing authentication to take place on
a third machine, which does help somewhat in ensuring proper
authentication.
Out of curiosity, what "firewall" is not needed because of RAS? Might you
be talking about using RAS to connect to the Internet providing a gateway
between your LAN and the Internet?
Cheers,
Russ
Follow-Ups:
|
|
