On 2 June 1997, Kohn, Joav wrote:
>
> unless you have a screening router (or proxy server, or firewall) at
> your end, you have no security at all. just cause the direct route to
> your network is hidden doesn't give you any security. if it made it
> impossible for the internet to reach you, none of your internet requests
> would ever get back to you.
>
> no matter how you go, ISP or MCI/SPRINT/ATT, you still need to get some
> type of protection on your end, under your control. after all, would you
> want to bank your company on your internet provider?
>
> > >
On 2 June 1997, Mariko Yashada wrote:
> > >
> > >
> > > My company is currently getting Internet access through a local ISP, using
> > > PPP connections. We are now considering replacing the dial-up connections
> > > with a leased line to the ISP. We will leave our web server at the ISP and
> > > will continue to use their e-mail server. There will be a router at the ISP
> > > end of the line. The line will connect to our Enterprise Network through a
> > > router at our end. We will also put a proxy server at our end to filter out
> > > going access and do NAT.
> > >
> > > The ISP people say this type of connection is more secure than a direct
> > > connection to the Internet through say MCI, becuase our router will be
> > > "hidden" behind their routing system. The IP address of our router will not
> > > be accessable from outside the ISP domain.
> > >
> > > We will not allow incomming connections such as telnet or ftp. We will
> > > restrict access from inside the company to e-mail, http, ftp and probably
> > > audio.
> > >
> > > My question is, how secure is this type of connection? How difficult is it
> > > for someone outside the ISP domain to discover and access our connection?
> > >
> > > Thanks,
> > >
> > > Mariko
> > >
Hi Pals!
I agree with what Kohn said in his first paragraph, last line. By the way Kohn,
she mentioned that she will be using a proxy server in her first paragraph.
1. Your router is "hidden", because both your router and your ISP's router will
not broadcast any routing tables between themselves. This is a normal
configuration, since there are so many routers in the Internet, and surely
your router cannot store them in its cache.
a. You will define a static route (or a default gateway) with the address of
your ISP's router and a metric of one in your router, and your ISP also will
add a static route in their router to point to your router. Whenever your
router receives any packet destined for 0.0.0.0, it will be forwarded to your
ISP's router.
b. You will disable "talk" and "listen" on your router. So your internal LAN will
not be broadcasted to the Internet, and your router will not receive any routing
updates. This is why you would have to add a static route in your router.
2. A proxy server alone is not enough to protect your LAN. You will need more than
that, for example, a packet filter, an application filter or a full firewall.
3. Anyone can still know your LAN's network address, just by ping-ing your proxy server
or DNS (eg. ping grfn.org instead of the normal "ping x.x.x.x").
You can see the IP address in the reply packet (unless you install a firewall
and disable the ICMP echo reply function).
Regards.
Wong.
References:
|
|
