Firewalls: Re: Vendor Lines

Firewalls
(June 1995)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Vendor Lines
From:	P . vanMossel @ telecom . ptt . nl
Date:	Tue, 06 Jun 1995 12:12:36 +0200
To:	firewalls @ GreatCircle . COM

Reply to message of Chris S Nichols <taft!nicholcs @
 uustar .
 starnet .
 net>, Fri,
2 Jun 1995 10:24:09 -0500 (CDT).

I don't know what is common. IMHO connections (Internet, remote user dial
services, and vendor communications lines) should be separated using some
criteria:
- differences between groups of people (amount of control)
- means used for the physical connection
- information exposed and potentially reachable
- protocols to be used; initiative allowed for incoming traffic?
Compatible connections can use one firewall.

A firewall controls a connection between an inside and an outside. Using two
firewalls results in a configuration consisting of an inside, a betweenside
and an outside (I named them green, orange, red segment - like a traffic light):
 green --- firewall_1 --- orange --- firewall_2--- red
We are moving connection to such a configuration for vendors.

Each vendor is connected with a router to red (they are not allowed to reach
each other!). Through firewall_1 they can reach the systems on orange. Those
systems are not allowed to connect to each other. Special care is given to
log the traffic on orange. Users on the inside (green) reach the systems on
orange through firewall_2. Both firewalls are full application level firewalls.

If firewall_1 were only a router, the configuration would be a server on the
DMZ" type solution. I don't think this is enough. We want to use
authentication and encryption on firewalls_1 for vendor connections. Besides
that we don't want to mix different kinds of traffic/connections. General
Internet use is separate from primary business use and business use of
Internet is separate from private connections.
---------------------------------------------------------------------
drs. Paul van Mossel  | Phone: +31 50 852238  Fax: +31 50 852240
PTT Telecom BV, I&AT  | E-mail    : P .
 vanMossel @
 telecom .
 ptt .
 nl
P.O. Box 188          | DISCLAIMER: This statement is not an official
NL-9700 AD  Groningen | statement from, nor does it represent an,
The Netherlands       | official position of, PTT Telecom B.V.
---------------------------------------------------------------------
X400 address: /c=NL/admd=400NET/prmd=PTT Telecom/s=van Mossel/I=P

Indexed By Date	Previous:	Re: Making Firewalls a newsgroup? From: "Jim Littlefield" <little @ ragnarok . hks . com>
Indexed By Date	Next:	RE: Selective filtering From: "william.wells" <william . wells @ damark . com>
Indexed By Thread	Previous:	Re: Vendor Lines From: Michael Richardson <mcr @ milkyway . com>
Indexed By Thread	Next:	New NetScape Proxy Server From: long-morrow @ CS . YALE . EDU (H Morrow Long)