Joe Klemmer wrote:
> On Mon, 9 Jun 1997 Brown_Michael_K @
> > If someone just wants to only allow email into their network, perform
> > NAT(since they are not registered legal internal addresses) and allow
> > internal users to surf the internet using http, what is the most
> > economical and still secure way/product to do this?
If you had a router that had cisco IOS 11.x or greater (I can't recall
the exact version here) you could do this. It is not the most secure
way but it may be the most economical since there may be a good chance
you have this kind of router.
Specifically, the newer CISCO IOS can support NAT. THis and the older
IOS's can support http and smtp filtering in combination with source and
destination IP address filtering. (However, you can only do destination
port filtering with CISCO - can't do source port filtering. You can
though use an inbound and outbound packet filter). As far as letting
people surf the WWW, you can filter on ACK bit thereby only allowing
persons to set up outbound TCP (port 80) connections without the fear of
someone establishing one to your internal servers. WIth this you should
turn off "source routing" to better protect yourself against spoofing.
Keep in mind though, this type of filtering is weaker than a proxy or
stateful inspection- but would be most economical if you already had a
router with CISCO IOS on it.