Our company has a firewall that provides very limited access to the
Internet for inside machines. We've been kicking around the idea of
setting up proxy servers within the gateway, but since we have so many
old and diverse unix boxes on the internal network, it would not be
a pleasent thing to do.
Since most users have windows pcs on their desks, what I'm considering
is as follows:
-------
| | Internet
-------
|
-------
| | Router
-------
| Unsecured network
[--------------------------------------------------------------------]
| | | | | |
| | | | | |
------ ------ ------ ---------- ------ ------
| | | | | | | Gateway| | | | |
|win | |win | |win | | | |win | |win |
| pc | | pc | | pc | | | | pc | | pc |
------ ------ ------ ---------- ------ ------
| | | | | |
| | | | | |
[--------------------------------------------------------------------]
| | | | Secured network
| | | |
----------------- ------- ------ ------
| production | |linux| |unix| |unix|
| unix box | | | | | | |
----------------- ------- ------ ------
I am making some assumptions:
1) I trust my users not to fiddle with routing on their pc's
2) There are no services running on the pc's that'll get me into trouble
3) This will be less time consuming than comming up with custom clients
for all the machines
4) I give up the abiliy to telnet/ftp/etc from one of the unix boxes on
the internal network
The windows pc users would then have access to both the internet (which
they want), and to the internal machines (which they need). They would
still receive email through the gateway but could ftp/telnet/www/gopher/...
with standard pc tools. I'll have to make sure they run only "approved"
client software, but I won't have to change it to work with SOCKS or such.
Am I all wet? Cheswick & Bellovin don't mention this type of configuration
at all.
John Lombardo
john @
deltanet .
com
Follow-Ups:
|
|
