*warning* shameless plug!
O'Reilly will be releasing a book Dec. 6th entitled "Internet Information
Services" in which a chapter has been dedicated specifically to the problems
outlined below. Although my 15 pages don't go into the gory detail of
Cheswick/Bellovin's book, it is a decent overview of the issues and possible
solutions.
Jeff LaCoursiere
Network Admin
UPRC
Ft. Worth, TX
/**********************************************************************
THE MAGIC WORDS ARE SQUEAMISH OSSIFRAGE
**********************************************************************/
>
> Mail*Link(r) SMTP providing public (FTP & HTTP) servers thru
> firewall
>
> As I think about the implications of getting Internet connectivity, I'm
> wondering about how to provide publically-accessible FTP & WWW servers,
> in conjuction with a firewall.
>
> I'm planning on running the TIS Firewall Toolkit, with all outgoing
> connections proxied thru a bastion host. I'd also like to maintain an
> ftphost, for putting things up for anonymous FTP, and I'm wondering how
> to do this. The options I've considered are:
>
> (1) Locate the ftphost on the bastion host. Both internal & external
> clients connect here. Simple.
>
> (2) Locate the ftphost inside the firewall, opening a hole in the
> packet-screen to allow FTP traffic to & fro. Dangerous?
>
> (3) Locate the ftphost inside the firewall, but maintain an external
> DNS that says ftphost == bastion host. Then provide a proxy
> service on the bastion host that connects directly to ftphost.
> Weird, huh?
>
> Comments? How do other people do this?
>
> The WWW question is similar, but with an added twist. How can internal
> WWW clients connect directly to an internal WWW server, while still using
> a proxy to access external servers?
>
> - Mike W.
>
>
>
|
|
