Great Circle Associates Firewalls
(November 1996) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: Reuters 3000 & Firewall-1 -- Knight-Ridder and IPX variation
From: Steven Langford <langford @ interaccess . com>
Date: Wed, 13 Nov 1996 21:50:14 -0500
To: firewalls @ greatcircle . com
References: <2 . 2 . 32 . 19961107213709 . 00b3c234 @ pop . frbchi . org> 
Knight Ridder (now Bridge) Money Center for Windows, transits incoming-only news 
stories to their server via leased line.  This server sits on LAN and broadcasts 
news stories (IPX, not TCP/IP) to specific clients using proprietary news 
application.  

What are the risks?  Should we firewall between their server and our LAN?
They say it's one way only (incoming), so I should believe them, right?

Thanks,
Steve Langford


>> On Thu, 31 Oct 1996, Ken Kempster wrote:
>> > On Thu, 31 Oct 1996, Bruno Raoult wrote:
>> >
>> > > Hi,
>> > >
>> > > Someone talked in this mailing list about the port problem between
>> > > Reuters-3000 services and Firewall-1 services (#156 & 157).
>> > >
>> > > Unhapilly I lost the report, and I'd like to ask some questions,
>> > > as:
>> > >  - Is there a security problem with this configuration?
>> > >  - Reuters-3000 uses Full IP from customer site to Reuters
>> > >    servers. Reuters does not want to give me details about
>> > >    their internal security. Does someone knows something about it?
>> > >  - Reuters uses a Real-time Unix (QNX) as session server (=gateway).
>> > >    Does someone knows about the security of this machine?
>> > >  - The QNX IP stack has been re-written for Reuters. Any
>> > >    information?
>> > >  - Reuters needs the customer to use RIP protocol. I think it
>> > >    may be quite dangerous, as Reuters may get information about
>> > >    our real network
>> > >  - Reuters "RBR" service needs to share NT disks from Reuters
>> > >    side to customer side. I think this implies the use of "considered
>> > >    dangerous" services as 137/138/139. Is there a risk there?
>> >
>> > What we have done here is put a PIX Firewall between the session server
>> > and our internal network.   IP's on our internal network are remapped
>> > to bogus ones on the session server side.
>>
>> How do you manage UDP ports? Do you let them pass through your PIX?
>> Do you trust Reuters translated addresses?
>
>All communication is initated one way. from the reuters side
>they are not able to initiate a connection;  the WS's on our internal
>network make the initial connection to the reuters
>session server.  IE:   I can ping there IP's but they can't ping anything
>past the PIX.
>
>
Indexed By Date Previous: Re: Non Routing IP Addresses
From: Paul Ferguson <pferguso @ cisco . com>
Next: Re: Firewall future
From: Anton J Aylward <anton @ the-wire . com>
Indexed By Thread Previous: re: the book
From: Geoffrey Myers <geof @ denali . abraxis . com>
Next: Logging
From: "Leon O'Brien" <leon @ networx . com . au>
Google
 
Search Internet Search www.greatcircle.com