Great Circle Associates Firewalls
(June 1996)

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: A secure environment for a K-12 school
From: Michael Dillon <michael @ memra . com>
Organization: Memra Software Inc. - Internet consulting
Date: Sun, 23 Jun 1996 18:29:48 -0700 (PDT)
To: Apu <apu @ spfld . com>
Cc: Firewalls mailing list <firewalls @ GreatCircle . COM>
In-reply-to: <Pine . LNX . 3 . 93 . 960621040624 . 3179A-100000 @ home . spfld . com>

On Fri, 21 Jun 1996, Apu wrote:

> My question comes down to two things:
>   - Would you recommend a Netware (IPX) or Unix (TCP/IP) based
>     solution, and why?  (Netware+Novix Firefox for access to the
>     Internet.)

Use TCP/IP for your core networking. Tunnel IPX between Novell servers
where needed (this implies that you would need a Novell server in the k-6
school). Use Novell's access security based on Ethernet segments to keep
academic users (students) out of the administrative servers. This implies
that you have routers internally like a Linux/FreeBSD box with multiple
network cards. Connect any Localtalk segments with something like
Farallon's Interroute/5 whichcan also serve to tunnel Appletalk through IP
for both localtalk and ethertalk connected Mac's.

>   - Any comments (on or off the record) about different firewall
>     vendors if we were to go Unix?

Your security concerns are primarily the opposite of most people. Of
course, you want to block outsiders from doing nasty things internally but
if all the important stuff is on IPX then they can't do much. But in your
scenario, the public that you need protection from is primarily inside the
organization, i.e. the students. You would also want to shield them from
accessing certain outside resources. One way to do this is to entirely
block outgoing port 80 (http) requests and force them to use a caching
proxy like Squid which gives you some control
over sites accessed as well as logging.

Also, you may have some other access problems caused by placing teachers
outside the firewall, i.e. on the ISP's system, if they want to access
internal resources like, for instance, a Filemaker Pro database via
Appletalk on a Mac server. One way around this is to actually install the
modems and terminal servers internally. This could be done and still use
the ISP for support, especially if there is a way to place part of the
ISP's NOC within your firewall boundary. If your network connection goes
through that ISP, then you should be able to accomplish this by
co-locating the firewall at the ISP's NOC on a separate Ethernet segment
from any other machines at the ISP.

Michael Dillon                                   ISP & Internet Consulting
Memra Software Inc.                                 Fax: +1-604-546-3049                             E-mail: michael @
 memra .

Indexed By Date Previous: IPX/NetBeui routing on VPN
From: Ciamac Cyrus Moallemi <ciamac @ delta-global . com>
Next: Encryption
From: Bridget011 @ aol . com
Indexed By Thread Previous: A secure environment for a K-12 school
From: Apu <apu @ spfld . com>
Next: [no subject]
From: Del Hundley <dhundley @ cvent . net>

Search Internet Search