In refernce to the issue:
> Matt Wallace wrote:
> | On Wed, 22 Jan 1997, Henry Lim Chee Wee wrote:
> | > Irwin Lazar wrote:
> | > > I think I missed a discussion about this a few weeks ago, but can
anyone
> | > > offer any suggestions on whether it is better to place a dial-in
server
> | > > inside or outside of the firewall?
[continuations snipped...]
- ----------
I tend to use DRAS which allow for "higher security" authentication
mechanisms such as Watchword, S/Key, Securid, and a few others and then
place the dial in banks within the secure side.
I am not an authority on whether this is the best solution, but I get
about the same protection that the firewall gives to authenticated
sessions.
I know a few products where a return dialback is made only after the
authentication takes place. Since the authentication is encrypted, it
makes it a bit more troublesome to guess the password. Furthermore,
with the right Access Server, odds are the account gets disabled after
2 or 3 failed authentification attempts.
last point - someone mentioned about firewalls configured in a point to
point (ie. IP Source and Detination) mode for applications. Seems like
there would be no point in keeping the dial-in banks in the unsecure
side, as in this case the applications will automatically be
authourized to the IP address of the NAS (assumed) which sort of breaks
down one level of security.
To sum it up, I prefer Remote Access Servers with Higher Levels of
security (ie. encrypted password algorithms) and then place the NAS in
and the RAS in the secure side.
Arjo
|
|
