Firewalls: Re: Connecting 40 remote sites securely?

Firewalls
(June 1997)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Connecting 40 remote sites securely?
From:	tzeruch @ ceddec . com
Date:	Thu, 26 Jun 1997 15:03:20 -0400
To:	KMoore1824 @ aol . com, mikech @ avana . net
Cc:	Firewalls @ GreatCircle . COM
In-reply-to:	<970620225527_-361344048 @ emout06 . mail . aol . com>

On Fri, 20 Jun 1997 KMoore1824 @
 aol .
 com wrote:

>  1. My company has been looking for a fast, easy to administer firewall for 
>  some time now. We need to network about 40 offices and don't need a lot of 
>  administration overhead. We must have the capability of performing encryption 
>  (we might need more than DES now! ;-) between our offices and corporate hub if 
>  necessary. Also some of our sites are located in South America and Europe.
> We also need full NAT functionality (one to one, one to many, many to one, etc.
>  etc.) as we may want to offer inbound services and some IP remapping at the 
>  remote sites. 

Do you need to do a Virtual Private Network (VPN), or would simply secure
browsers at one site and secure servers at a second site work.  If you
need a VPN, some firewalls support this, some do not.

>  2. Could you use something like Linux with the IPSec extensions in France?

Check with a French lawyer, but last I heard, anything strong enough to be
useful (even DES) is unlawful, which would include CAST-128 which is what
IPSec uses.

>  5. What about remote access (non-UDP). Especially outside of the United 
>  States. Are there any clients that use more than DES encryption? How much
> more 
>  secure is 3DES than standard DES. We just want to secure POP, SMTP, HTTP, 
>  NNTP, FTP and Telnet. Should I worry if the remote access encryption 
>  technology is proprietary?

3DES is secure if there are no other holes (it doesn't show the weaknesses
of DES and if the keys are kept secure...).  See Applied Cryptography by
Bruce Schneier for further info.

SSL versions of all the above protocols are available (and outside the
US!).  Start at http://www.psy.uq.edu.au:8080/~ftp/Crypto/

>  6. Is FTP inherently hard to secure with Stateful Inspection type Firewalls?

It depends on what you want to use FTP for.  You can use http(s) to move
almost anything, and I hacked together a "microserver" that functions sort
of like an ftp client (returns a directory with links to files and
subdirs, etc, clicking will download).  But otherwise use a good FTP.

>  7. What key distribution method should we look for? Is a standard emerging?

X509 Certificates.  The ssl listservs are the best place to get answers to
these and the above URL is the best place to start finding this stuff.

References:

Connecting 40 remote sites securely?
From: KMoore1824 @ aol . com

Indexed By Date	Previous:	Re: why this should not work a gateway/proxy/firewall ??? From: tzeruch @ ceddec . com
Indexed By Date	Next:	Re: Definition of a security expert-College Degree From: Niall James McCormack <njames @ sid . com . br>
Indexed By Thread	Previous:	Connecting 40 remote sites securely? From: KMoore1824 @ aol . com
Indexed By Thread	Next:	Re: Connecting 40 remote sites securely? From: drexx @ pspi . com . ph (Drexx Laggui)