I'd always prefer to have a separate NT dialin server on your intranet
rather than to open further ports on the firewall.
Having sort of a 'known' user community for dialin access, you can apply a
whole bunch of authentication methods to secure this node. In addition, you
can secure this dialin server using screened routing, which some of the
dialin servers already ship with.
IMHO, the risk of having a limited number of known users effectively
bypassing your firewall is calculable, whereas the risk of opening further
ports on your internet firewall is not. And the risk increases with every
new service port you have to open in order to serve your dialin user's
>From a technical point of view, I do not know if the login to the NT server
would make any problems if you decide to access the NT domain through the
Unix firewall. NT's Remote Access Service (RAS) is usually used for dialin
access to a NT server, which should have some known port address...
Just my 0.07 pfennigs.
At 10:44 19.01.98 -0500, you wrote:
> Our firewall is a filtering router/application proxy configuration.
>We are currently running FWTK 2.0 on a Linux kernel. I'm a Unix
>I know next to nothing about windows, except that ports 135-139 are a very
>thing :) For this reason, I have the impression this access request maybe
>too much of a security risk. But if this is going to fly, I have to my
>objective. Also, the alternative to not enabling thos access request from
>this "dialin DMZ" would be that there would be a NT dialin server on our
>Intranet ; effectively by-passing the firewall anyway.
EDS Electronic Data Systems Industrien (Deutschland) GmbH
Phone +49-6142-80-2942 Fax +49-6142-80-1755 Email oliverk @
PGP key fingerprint = C1 ED 3E E0 95 B5 05 28 A4 A4 E5 72 33 A7 20 B0
"It's a small world, unless you have to clean it." - Roger Wilco