Knight Ridder (now Bridge) Money Center for Windows, transits incoming-only news
stories to their server via leased line. This server sits on LAN and broadcasts
news stories (IPX, not TCP/IP) to specific clients using proprietary news
What are the risks? Should we firewall between their server and our LAN?
They say it's one way only (incoming), so I should believe them, right?
>> On Thu, 31 Oct 1996, Ken Kempster wrote:
>> > On Thu, 31 Oct 1996, Bruno Raoult wrote:
>> > > Hi,
>> > >
>> > > Someone talked in this mailing list about the port problem between
>> > > Reuters-3000 services and Firewall-1 services (#156 & 157).
>> > >
>> > > Unhapilly I lost the report, and I'd like to ask some questions,
>> > > as:
>> > > - Is there a security problem with this configuration?
>> > > - Reuters-3000 uses Full IP from customer site to Reuters
>> > > servers. Reuters does not want to give me details about
>> > > their internal security. Does someone knows something about it?
>> > > - Reuters uses a Real-time Unix (QNX) as session server (=gateway).
>> > > Does someone knows about the security of this machine?
>> > > - The QNX IP stack has been re-written for Reuters. Any
>> > > information?
>> > > - Reuters needs the customer to use RIP protocol. I think it
>> > > may be quite dangerous, as Reuters may get information about
>> > > our real network
>> > > - Reuters "RBR" service needs to share NT disks from Reuters
>> > > side to customer side. I think this implies the use of "considered
>> > > dangerous" services as 137/138/139. Is there a risk there?
>> > What we have done here is put a PIX Firewall between the session server
>> > and our internal network. IP's on our internal network are remapped
>> > to bogus ones on the session server side.
>> How do you manage UDP ports? Do you let them pass through your PIX?
>> Do you trust Reuters translated addresses?
>All communication is initated one way. from the reuters side
>they are not able to initiate a connection; the WS's on our internal
>network make the initial connection to the reuters
>session server. IE: I can ping there IP's but they can't ping anything
>past the PIX.