On Sun, 18 Aug 1996 potlicker @
> Scenario: GrandInc runs a multivendor firewall farm that interconnects
> corporate WAN's and the Internet. They want to see firewall performance
> data without having to log onto consoles. Policy forbids them to remotely
> access root on the firewalls across their network. They have to use the
Sounds like these are UNIX boxes. First step is to configure them to use a
> A lot of things could go wrong in this process of events. There are a lot
> of bright people on the firewalls list. What are viable alternatives?
Next step. Set up another UNIX box in the firewall farm room with a bunch
of serial ports. Connect each serial port to one of the firewalls. Then
run a cable to the remote point where the admins are located. This could
also be a single serial cable or if you want several admins to share the
access, use 10baseT to a hub in the admin offices and connect to a
separate interface card on each admin's workstation. Make sure that the
admins are using an OS that can be safely configured to not forward
packets. This type of configuration cannot be broken into from the
outside. In fact the major risk is that an admin workstation might be
reconfigured to allow packet forwarding and someone who has broken into
the network via other means could then get to the firewall.
> In the course of our research we have come across
> several large WAN's that had a single firewall connecting them through a
> high speed link to the Internet. They also had many low speed connections
> from other parts of the WAN to the Internet. Most of these low speed
> dial-ups had no security protection.
To start with, corporations should ban modems entirely. The risk to a
company from industrial espionage is too great. The time will soon be here
when corporations can take the next step and ban all telephones. Any voice
communications will happen over the corporate WAN and get switched into
the PSTN by a box in the DMZ. Actually, modems can be blocked today using
voice compression technology from companies like Ganfdalf that will let
you mux 4 voice conversations onto a 56K link. While this is normally used
to transport voice over a WAN link, through the use of zero-mile 56K lines
in the PBX room you could route all voice calls through such a device and
make modem use virtually impossible.
Of course it will never happen, because Sik Puppy and his friends need to
have SOME place to play, don't they?
Michael Dillon - ISP & Internet Consulting
Memra Software Inc. - Fax: +1-604-546-3049
http://www.memra.com - E-mail: michael @