At 12:57 AM 6/17/97 -0500, Mark A. Bialik wrote:
>Bring the internal customers directly into the internal-net by
>placing a portmaster and radius server behind the firewall.
>Then this isn't an issue.
>Excuse me... but I thought modem banks behind the firewall
>was Cardinal Sin #1??!!??
No, not even Cardinal Sin #100. If you have multiple entrances through a
security perimeter -- network, physical, whatever -- you need to make sure
1. they have a nearly identical security posture (they are equally
difficult to circumvent or break)
2. If one is weaker than the other, the one is watched closer.
The idea is obvious I think.
Anyway, if the strong authentication and encryption are the same through
both gateways, this is not necessarily a bad solution.
Cardinal Sin #1 might be poking holes through a perfectly good firewall to
support every possible service users say they need.
>Keep internal and external people dialing in via the same point (like
>now). Don't put modems behind the firewall. Use the SecuRemote
>product on each employee's home machine to setup an encypted
>tunnel between them and the firewall. Then allow those UDP packets
>to flow through the firewall.
>Umm.... isn't UDP through a firewall a bad idea?
Aside from the Firewall-1 part (:-)) this isn't bad either. You're allowing
bad, evil, UDP packets but only through over an authenticated, encrypted
path. This is a VPN *with trust* from user to inside network. As long as
SecuRemote (remember when you capitalized only the first letter of a word
or name?) guarantees that the client can never be connected to both the
inside and and outside network! You don't want the path to your network to
become some random PC somewhere out there. Be careful with this solution
that the UDP services are ONLY allowed when the link is encrypted. It may
be easy to erroneously set this up to allow UDP packets all the time. I
think FW-1 allows them, though my belief is they cannot allow UDP packets
securely (except over an encrypted link).
Gauntlet can also support the second method with Gauntlet PC Extender (and
possibly with SmartGate).
(voice) +1 301-854-5749; (fax) +1 301-854-5363
PGP Key: http://www.tis.com/docs/pub/pgpkeys/fredapgp.txt
PGP Key fingerprint =AF 29 5B CE 1A 60 1D C1 0C 4E AD 43 3F 53 BC C7