On Tue, 5 Aug 1997 16:52:52 -0700 (PDT), Firewalls-Digest wrote:
>From: Bret Watson <Bret .
Watson @
bwa .
net>
>Subject: Best Practice? - internet + multiple RAS
>
>We have a client with a remote access problem. Basically they have a
large
>number of semi-permanent ISDN lines as part of thier WAN as well as a
>number of modems for the more remote points.
>Added to that is the requirement for their IT people to have access from
>home and for the computer supplier to have access ( mainly dial out) for
>maintainence.
>Yes there's more!
>There is also plans for the marketing dept to have access remotely from
>clients premises and for clients to have access for account management.
>The core protocol on the LAN is TCP/IP.
>
>The IT people need complete access to the network, whilst most of the
rest
>will only need access to the main CPU. The protocol used by the WAN
offices
>is telnet.
>
>
>My question.... what is the best practice for this?
>
Hi Bret
IMO the requirements (or the actual situation) sound very common for
larger enterprises.
I suppose that there is a security policy established, that requests for a
little bit more security than they seem to actually have reached.
In order to get it under control try to approach these goals:
1) ISDN WAN connections secured (at least callback)
2) No Modems on any LAN Station.
Use Dial Out Servers instead if not avoidable. So you can at least
get a log of connections.
3) Remote LAN Access using strong authentication for a very limited
number of persons (your own support people) via RAS under control
of security management.
Best solution would be to reduce to one single point of access
4) Regular remote access via firewall and RAS in the DMZ using
strong authentication on the firewall for any access that is
not generally open to the internet.
5) If you need automatic programm to programm connections or a very
convenient way to connect from remote without loosing strong
authentication, you should evaluate VPN techniques (propably
smart card based).
Most of your users should feel comfortable with point 4 above.
In my experience the most critical point is to make people security
aware enough to be willing to discuss the use of more secure solutions.
regards
Peter Vaterlaus
//------------------------------------------------------------
// Consulting and Security for Networks and Internet
// Peter Vaterlaus edv @
vaterlaus .
ch http://www.vaterlaus.ch/edv
// EDV-Systemberatung tel ++41 32 621 84 21
// Klosterplatz 6, Postfach fax ++41 32 621 84 25
// CH-4502 Solothurn
// Switzerland
//------------------------------------------------------------
|
|
