I disagree, if you are using certain types of software as your
security rule-set enforcer (normally called a firewall), you should be able
1) from the untrusted-internet - don't allow anything other than mail
(proxied) and DNS (proxied) etc.
2) from the untrusted-dialup - Allow full access after authentication.
P.S. This keeps it to one system instead of two - decreasing the number of
systems that must be monitored and hardened.
At 15:22 95/12/11 -0600, the sage, Chuck Briese, uttered these words:
(>On Dec 11, 15:10, H Morrow Long wrote:
(>> Subject: Re: modems and accessing the internal network
(>> Why not set up yet a third classification of network in addition to the
(>> first two ( inside-corporate-trusted, outside-internet-untrusted )
(>> which is : "dialup-untrusted"
(>> You could then have the dialup network exist separate from the DMZ and
(>> (Scenario 1) either share the same filtering router or proxy firewall
(>> setup or (Scenario 2) have a completely different firewall between the
(>> dialup-untrusted bank and the inside-corporate-trusted LAN.
(>>-- End of excerpt from H Morrow Long
(>I am an advocate of Scenario 2 because the firewall needs of the
(>dialup/ISDN user are different from the firewall protecting the
(>internal network from the DMZ. I can simply specify "no telnet, no X,
(>no NFS, etc..." from the DMZ to the internal network.
(>However, these users, particularly those with ISDN connections,
(>require NFS and X traffic to be passed to machines at their
(>homes/offices. While I might be able to place a firewall between
(>the remote and internal networks, how effective would it really be?
(>I ran across this example of what I fear in the appsrvr man page from
(>my Pipeline software:
(> This command is only here because some system admins think its a great
(> way to prevent folks from actually wanting to work via an ISDN link.
(>Chuck Briese, striving for zero defects in an inherently defective world
(>BMC Software, Inc., 2101 City West Blvd., Houston 77042 (713) 918-1216
( ( | ( Chris Liljenstolpe <Chris .
) ) (| ), inc. SSDS, Inc; 8400 Normandale Lake Blvd.; Suite 993
business driven Bloomington, MN 55437;
technology solutions TEL 612.921.2392 FAX 612.921.2395 Um Yah Yah!