Les
It's technically not an error, you can take out the REFEXCLUDE line, or
comment it our in the dig file.
-----Original Message-----
From: Mark A. Bialik [SMTP:markb @
pmihwy .
com]
Sent: Tuesday, June 17, 1997 7:58 AM
To: firewalls @
greatcircle .
com
Subject: Gauntlet & FW1 told me to do this!??!
Hello:
Can someone give a critique of the options I present below?
In a nutshell, an ISP wants to isolate the ISP net from their internal
net. The internal net consists of a mix of NT servers and UNIX
servers. All the employees have Win95 machines at home. Both employees
AND paying internet customers dialin via the same modem pool.
(Livingston Portmasters authenticating against Linux Radius servers).
The main concern is employees being able to browse the NT shares
behind the firewall while keeping the external customers (and internet
at large) from doing so.
The ISP has decided on Gauntlet or Firweall-1. Reps from both
comapnies have told them the following:
Gauntlet:
Bring the internal customers directly into the internal-net by placing
a portmaster and radius server behind the firewall. Then this isn't
an issue.
Excuse me... but I thought modem banks behind the firewall was
Cardinal Sin #1??!!??
Agreed.
Firewall-1:
Keep internal and external people dialing in via the same point (like
now). Don't put modems behind the firewall. Use the SecuRemote
product on each employee's home machine to setup an encypted tunnel
between them and the firewall. Then allow those UDP packets to flow
through the firewall.
Umm.... isn't UDP through a firewall a bad idea?
Agreed again.
Which one of these is a better option? I think they both suck, so what
would my alternative be? Thanks much for your attention.
In stead of SecuRemote use AltaVista Tunnel. This runs on TCP, so it
can be safely tunneled through almost any Firewall, and it offers
*mutual* authentication.
It would take the AltaVista Group Tunnel installed on an internal NT
(or Digital UNIX) system and a personal tunnel on each remote PC
(Windows 95 or NT). All trafic is mutually authenticated and encrypted
(with 128-bit keys, since you are in the US - the rest of us have to
live with 56-bit)
In fact, this e-mail is composed over such a link (!)
Check out the product at http://altavista.software.digital.com
- Kim
---
Kim Wohlert |Mailto:Kim .
Wohlert @
mainz .
dk
erik mainz a/s |
Dortheavej 7 |
DK-2400 Copenhagen |Phone: +45 38 34 77 88
Denmark |Fax: +45 31 19 16 25
---
Nostalgia isn't quite what it used to be
Mark
======================================================================
Mark A. Bialik (414) 290-6749
Systems Administrator www.pmihwy.com/~markb
Preferred Medical Informatics markb @
pmihwy .
com
Infinity HealthCare, Inc. mbialik @
infinityhealthcare .
com
Mequon, WI USA www.linux.org
======================================================================
David Park
Systems Administrator
Cybercom, INC.
Phone: 808-539-3742 Fax: 808-539-3743
E-mail: davidp @
cyber-hawaii .
com Support: support @
cyber-hawaii .
com
NEWS FOR CUSTOMERS * Check this spot for news regarding our services.
|
|
