Firewalls: Re: Gauntlet & FW1 told me to do this!??!

Firewalls
(June 1997)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Gauntlet & FW1 told me to do this!??!
From:	Frederick M Avolio <avolio @ tis . com>
Date:	Tue, 17 Jun 1997 08:48:14 -0400
To:	"Mark A. Bialik" <markb @ pmihwy . com>, firewalls @ greatcircle . com
In-reply-to:	<199706170557 . AAA18259 @ eagle . pmihwy . com>

At 12:57 AM 6/17/97 -0500, Mark A. Bialik wrote:
>Gauntlet:
>
>Bring the internal customers directly into the internal-net by
>placing a portmaster and radius server behind the firewall.
>Then this isn't an issue.
>
>Excuse me... but I thought modem banks behind the firewall
>was Cardinal Sin #1??!!??

No, not even Cardinal Sin #100.  If you have multiple entrances through a
security perimeter -- network, physical, whatever -- you need to make sure
that either

	1. they have a nearly identical security posture (they are equally
	difficult to circumvent or break)

	2. If one is weaker than the other, the one is watched closer.

The idea is obvious I think.

Anyway, if the strong authentication and encryption are the same through
both gateways, this is not necessarily a bad solution. 

Cardinal Sin #1 might be poking holes through a perfectly good firewall to
support every possible service  users say they need.

>Firewall-1:
>
>Keep internal and external people dialing in via the same point (like
>now). Don't put modems behind the firewall.  Use the SecuRemote
>product on each employee's home machine to setup an encypted
>tunnel between them and the firewall. Then allow those UDP packets
>to flow through the firewall.
>
>Umm.... isn't UDP through a firewall a bad idea?

Aside from the Firewall-1 part (:-)) this isn't bad either. You're allowing
bad, evil, UDP packets but only through over an authenticated, encrypted
path. This is a VPN *with trust* from user to inside network. As long as
SecuRemote (remember when you capitalized only the first letter of a word
or name?) guarantees that the client can never be connected to both the
inside and and outside network! You don't want the path to your network to
become some random PC somewhere out there. Be careful with this solution
that the UDP services are ONLY allowed when the link is encrypted. It may
be easy to erroneously set this up to allow UDP packets all the time. I
think FW-1 allows them, though my belief is they cannot allow UDP packets
securely (except over an encrypted link).

Gauntlet can also support the second method with Gauntlet PC Extender (and
possibly with SmartGate).

Fred

---
(voice) +1 301-854-5749; (fax) +1 301-854-5363
PGP Key:	http://www.tis.com/docs/pub/pgpkeys/fredapgp.txt
PGP Key fingerprint =AF 29 5B CE 1A 60 1D C1 0C 4E AD 43 3F 53 BC C7

Follow-Ups:

Re: Gauntlet & FW1 told me to do this!??!
From: Adam Shostack <adam @ homeport . org>

References:

Gauntlet & FW1 told me to do this!??!
From: "Mark A. Bialik" <markb @ pmihwy . com>

Indexed By Date	Previous:	Cisco Router From: Thomas Mullaney <thomasm @ GateKey . Com>
Indexed By Date	Next:	securing inside perimeter From: "k. frisco" <kfrisco @ shrike . depaul . edu>
Indexed By Thread	Previous:	Gauntlet & FW1 told me to do this!??! From: "Mark A. Bialik" <markb @ pmihwy . com>
Indexed By Thread	Next:	Re: Gauntlet & FW1 told me to do this!??! From: Adam Shostack <adam @ homeport . org>