Great Circle Associates Firewalls
(August 1996) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: recommedations -- secure access over internet
From: Messages_Roswell @ oxy . com (Messages Roswell)
Date: Fri, 23 Aug 1996 11:14:52 -0500
To: firewalls @ greatcircle . com, rich <raf @ ezunx . com> 
     First, You can use a plugged gateway whereby an outside TCP/IP address 
     directed to your firewall's address is routed to a specific inside 
     TCP/IP address which is unknown to the outside user.
     
     Second, you probably should limit the access to only those 
     applications necessary such as telnet and ftp. 
     
     Third, you really need a smartcard such as Digital Pathway's Secure 
     Net Key or Security Dynamic's  SecureID. You cannot authenticate by 
     TCP/IP address alone; it is easily spoofed. As far as costs the TIS 
     Gauntlet firewall has a built in Digital Pathway's authentication 
     server and provisions to authenticate to an external authentication 
     server. Therefore the cost is low, $60 per card per user for a secure 
     connection. Depending on your specific firewall this could cost more. 
     Good security isn't cheap!
     
     
     There are other methods depending on your application for instance you 
     could use coldfusion and a database front end with password validation 
     and a Netscape Commerce Server with SSL and built outside access to a 
     secure internal application.
     
     Regards,
     Bill Roswell
     Bill_Roswell @
 oxy .
 com
     Occidental Petroleum Corporation.
     


______________________________ Reply Separator _________________________________
Subject: recommedations -- secure access over internet
Author:  rich <raf @
 ezunx .
 com> at internetoxy
Date:    8/22/96 6:34 PM


Hi,
     
Although I have some general ideas already I would like to take 
advantage of the intelect present on this list.
     
Consider a couple of hosts inside a NAT-based firewall.
     
Requirement -- Access to these hosts from another machine (known 
address) out on the internet somewhere.  Would like to do it on 
a per user basis, nothing ip/hostname based.
     
Problem -- still need to make sure the insdie addresses are not 
visible to the outside.  
     
Considering a challenge/response type system, not smartcard though, 
due to cost.  Any other suggestions????
     
thanks,
-rich
     
                             o' |,=./ `o
                                (o o)    
                       -----ooO--(_)--Ooo-------
     
** Remember -- If you can keep your head when all others around
               you are losing theirs...
     
You're probably not paying attention!
Indexed By Date Previous: program that answers
From: meritj @ fincen . treas . gov (Jim Meritt)
Next: Re: Unixware Firewalls?
From: NetSurfer <netsurf @ pixi . com>
Indexed By Thread Previous: Re: recommedations -- secure access over internet
From: C Matthew Curtin <cmcurtin @ research . megasoft . com>
Next: Re[2]: recommedations -- secure access over internet
From: Messages_Roswell @ oxy . com (Messages Roswell)
Google
 
Search Internet Search www.greatcircle.com