Firewalls: Re: Reuters 3000 & Firewall-1

Firewalls
(October 1996)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Reuters 3000 & Firewall-1
From:	Bruno Raoult <br @ ota . societe-generale . fr>
Date:	Thu, 31 Oct 1996 18:24:48 +0100 (MET)
To:	Ken Kempster <kempster @ monarch . rnb . com>
Cc:	firewall digest <firewalls-digest @ GreatCircle . COM>
In-reply-to:	<Pine . SOL . 3 . 95 . 961031091841 . 3752A-100000 @ monarch>

On Thu, 31 Oct 1996, Ken Kempster wrote:
> On Thu, 31 Oct 1996, Bruno Raoult wrote:
> 
> > Hi,
> > 
> > Someone talked in this mailing list about the port problem between
> > Reuters-3000 services and Firewall-1 services (#156 & 157).
> > 
> > Unhapilly I lost the report, and I'd like to ask some questions,
> > as:
> > 	- Is there a security problem with this configuration?
> > 	- Reuters-3000 uses Full IP from customer site to Reuters
> > 	  servers. Reuters does not want to give me details about
> > 	  their internal security. Does someone knows something about it?
> > 	- Reuters uses a Real-time Unix (QNX) as session server (=gateway).
> > 	  Does someone knows about the security of this machine?
> > 	- The QNX IP stack has been re-written for Reuters. Any
> > 	  information?
> > 	- Reuters needs the customer to use RIP protocol. I think it
> > 	  may be quite dangerous, as Reuters may get information about
> > 	  our real network
> > 	- Reuters "RBR" service needs to share NT disks from Reuters
> > 	  side to customer side. I think this implies the use of "considered
> > 	  dangerous" services as 137/138/139. Is there a risk there?
> 
> What we have done here is put a PIX Firewall between the session server
> and our internal network.   IP's on our internal network are remapped
> to bogus ones on the session server side.

How do you manage UDP ports? Do you let them pass through your PIX?
Do you trust Reuters translated addresses?

> Question for you?   Are you running internal DNS?  If so,  did you have
> problems configuring it to forward requests for session.rservices.com
> to the session server?   What was your solution?

Yes, we have. But it is not yet configured. I suppose it should work *IF*
reuters DNS proxy has a "normal" way to run (it should be a simple
domain/network delegation). Which are your problems?


                 \|||/
                 (. .)
+-------------ooO-(_)-Ooo------------------------------------------------+
| Bruno RAOULT - Chess, tonight?                                         |
|                                                                        |
|  Tel.   (33-1) 42.13.45.19         Fax:    (33-1) 42.13.69.66          |
|  Kobby. (33-1) 51.01.20.71         e-mail: br @
 ota .
 societe-generale .
 fr  |
+------------------------------------------------------------------------+
                 || ||
                ooO Ooo

Follow-Ups:

Re: Reuters 3000 & Firewall-1
From: Christian ALT <calt @ tla . ch>
Re: Reuters 3000 & Firewall-1
From: Ken Kempster <kempster @ monarch . rnb . com>

References:

Re: Reuters 3000 & Firewall-1
From: Ken Kempster <kempster @ monarch . rnb . com>

Indexed By Date	Previous:	FW-1 Mailing list? From: Greg . Donkin @ roke . co . uk
Indexed By Date	Next:	Re: Reuters 3000 & Firewall-1 From: Ken Kempster <kempster @ monarch . rnb . com>
Indexed By Thread	Previous:	Re: Reuters 3000 & Firewall-1 From: Ken Kempster <kempster @ monarch . rnb . com>
Indexed By Thread	Next:	Re: Reuters 3000 & Firewall-1 From: Ken Kempster <kempster @ monarch . rnb . com>