Firewalls: Re: access for remote users through the firewall

Firewalls
(September 1997)

Indexed By Thread: [Previous] [Next]

Subject:	Re: access for remote users through the firewall
From:	"Paul D. Robertson" <proberts @ clark . net>
Date:	Thu, 11 Sep 1997 21:57:18 -0400 (EDT)
To:	Colin Campbell <sgcccdc @ citec . qld . gov . au>
Cc:	firewalls @ GreatCircle . COM
In-reply-to:	<199709112300 . JAA05000 @ guru . citec . qld . gov . au>

On Fri, 12 Sep 1997, Colin Campbell wrote:

> Alternative 1:
> 
> 	Organisation puts modems and terminal server inside LAN and
> 	forces all users to phone the number. Works fine for locals
> 	but when you're 10,000 miles away, international phone calls
> 	tend to cost a bit.
> 
> 	Any thoughts on performance and security issues? I reckon
> 	9600 baud would be lucky. Support of users with problems
> 	is also an issue.
> 
> Alternative 2:
> 
> 	Organisation puts tunnel server inside firewall (PPTP not
> 	an option cos 40-bit encryption is insufficient) and opens

Keep in mind that even 40-bit encryption will get you thrown in jail in 
some countries.  

> 	a hole in the firewall for the tunnel. Users go to local ISP
> 	and tunnel over internet through firewall to tunnel server.
> 
> 	Again, thoughts on security, performance, support issues?

Local ISPs in foreign lands are much harder to get at legally, so if you 
have anything those users access that has a lifespan longer than the 
encryption, beware.  Also, if your encryption technology doesn't do 
keychanges often enough, then watch for that as well.  Also, if you're 
tunneling them in, think about putting the tunnel in front of a firewall 
to do strong authentication and limit access to network resources which 
use that pipe.  Sooner or later, one of those folks is going to be hooked 
to something in the clear.  Ensure that those users know that any 
non-encrypted connection to their machine while it's VPNing breaks the 
encryption model.  

> There are some who believe (1) is the only option since it is far too
> dangerous to allow secure traffic (State Gov't) to traverse any data
> network outside of the organisation.

There are some of who belive that it's better to replicate what's 
needed, and/or offer limited access to replicated data on semi-private 
machines outside the network, than to offer unattended access to the 
protected network from any remote workstation.  Especially given the 
security clue of most of the folks who tend to be traveling.  One good 
airport snatch gets the laptop, smartcard, PIN, and phone numbers.  One 
more device off the laptop and it's a router.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts @
 clark .
 net      which may have no basis whatsoever in fact."
                                                                     PSB#9280

References:

access for remote users through the firewall
From: Colin Campbell <sgcccdc @ citec . qld . gov . au>

Indexed By Date	Previous:	PC-Anywhere - Custom Protocol? From: uskanbye @ ibmmail . com
Indexed By Date	Next:	Re: Simple question From: Paul Ferguson <ferguson @ cisco . com>
Indexed By Thread	Previous:	access for remote users through the firewall From: Colin Campbell <sgcccdc @ citec . qld . gov . au>
Indexed By Thread	Next:	Re: access for remote users through the firewall From: Kevin Brown - NetComm <Kevin . Brown @ NetComm . ie>