Great Circle Associates Firewalls
(June 1997) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: Gauntlet & FW1 told me to do this!??!
From: Adam Burns <adamb @ netstorm . net . au>
Date: Tue, 17 Jun 1997 16:28:47 +1100
To: "Mark A. Bialik" <markb @ pmihwy . com>
Cc: firewalls @ greatcircle . com 
Access Control Lists can be configured on an account by account basis in
RADIUS. 
Check the docs with your particular flavour of the radius server.

I believe Livingston Portmasters support this as well. A majordomo mailing
list <portmaster-radius @
 livingston .
 com> is a good reference for RADIUS and
in particular Livingston gear.

Regards,

Adam.

At 12:57 AM 17/06/97 -0500, Mark A. Bialik wrote:
>Hello:
>
>Can someone give a critique of the options I present below?
>
>In a nutshell, an ISP wants to isolate the ISP net
>from their internal net. The internal net consists of a mix
>of NT servers and UNIX servers. All the employees have Win95
>machines at home. Both employees AND paying internet customers
>dialin via the same modem pool. (Livingston Portmasters
>authenticating against Linux Radius servers).
>
>The main concern is employees being able to browse the NT shares
>behind the firewall while keeping the external customers
>(and internet at large) from doing so.
>
>The ISP has decided on Gauntlet or Firweall-1. Reps from both
>comapnies have told them the following:
>
>Gauntlet:
>
>Bring the internal customers directly into the internal-net by
>placing a portmaster and radius server behind the firewall.
>Then this isn't an issue.
>
>Excuse me... but I thought modem banks behind the firewall
>was Cardinal Sin #1??!!??
>
>
>Firewall-1:
>
>Keep internal and external people dialing in via the same point (like
>now). Don't put modems behind the firewall.  Use the SecuRemote
>product on each employee's home machine to setup an encypted
>tunnel between them and the firewall. Then allow those UDP packets
>to flow through the firewall.
>
>Umm.... isn't UDP through a firewall a bad idea?
>
>
>Which one of these is a better option? I think they both suck,
>so what would my alternative be? Thanks much for your attention.
>
>Mark
>
>======================================================================
>Mark A. Bialik						(414) 290-6749
>Systems Administrator				 www.pmihwy.com/~markb
>Preferred Medical Informatics    		      markb @
 pmihwy .
 com
>Infinity HealthCare, Inc.		mbialik @
 infinityhealthcare .
 com
>Mequon, WI USA			      			 www.linux.org
>======================================================================
>
>
>
     -NetStorm----------------------------------[adamb @
 netstorm .
 net .
 au]
      adam burns                                       central++vortex
      po box 3168                               vortex @
 netstorm .
 net .
 au
      south brisbane BC 4101 australia             
     ------------------------------------------------------------------
      storming the reality network into a state of suspended disbelief
Indexed By Date Previous: RAS-Server in DMZ ?
From: "Kling, Oliver" <oliver . kling @ eurokom . de>
Next: Re: Passive mode ftp clients
From: Dave Roberts <dave . roberts @ saaconsultants . com>
Indexed By Thread Previous: Re: Gauntlet & FW1 told me to do this!??!
From: "Kelly E. Gibbs" <kgibbs @ best . com>
Next: RE: Gauntlet & FW1 told me to do this!??!
From: Kim Wohlert <Kim . Wohlert @ mainz . dk>
Google
 
Search Internet Search www.greatcircle.com