On Tue, 28 May 2002 [EMAIL PROTECTED] wrote: > My environment consists of NT4 Servers SP6a. Our web server hosts multiple > web sites. We are using Proxy Server 2 for our user's Internet access > gateway and for routing inbound Internet requests to the correct web site. > We are on a single subnet LAN and the router has only the basic firewall > configured; no other filter or filter sets. > > Our business requires us to connect to various customer's systems. These > systems can be AS400 machines, DEC VAX machines and Windows based machines. > More and more we are seeing customers request that we use their VPN > solutions for connectivity. Various emulation applications are used along > with the VPN connections as all our desktops are W2K. > > Proxy Server is preventing us from making some VPN connections because of > the NATing that it does. We think that a firewall is the solution. The > product needs to: > > Allow multiple site-to-site VPN connections > Allow VPN connections to be made from desktops inside our LAN
Many <most?> folks like to terminate the VPN on a DMZ net, and make users work from there out, especially if the VPN is not a tunnel to more direct internal corporate structures, say branch offices and such. Allowing the tunnel all the way to the desktop does not allow the finer grain of control. Additionally, you may want to come up with some kind of assurances that these partners secruity polices are at least as strong as your own, prior to agreeing to any tunneling. This may well include not only NDA's and security specifics in contracts and SLA's you may need signed off on, but additionally thrid party audits to ensure such is in place. How do you or they know if you have emloyeees on the road oor working from home with tunnels inside and unsecured machines they are working from, say they might be tunneled in and still browsing the net or playing in IRC. How do you or they know one side has not violated it;s security polcies totally with an insecured implimentation of wireless toys? Thus the thrid party audits and sharing of results. Especially with the coming requirements and concerns for HIPPA, which your organization is probably going to have to comit to and deal with these coming months. Some of these requirements are going to extend to at least a degree to those companies you are sharing connections/information with, and will be part of federal auditing and assurances in the first quarter next year. Thanks, Ron DuFresne > Allow IPSec and PPTP and other protocols/encryptions thru > Route incoming Internet requests to the correct private IP addresses of our > web sites > Replace Proxy Server as the Internet gateway > > Can you experts give me some recommendations on brands and models that will > accommodate this? > > As you can tell, I'm new to the details of firewalls. Thanks for any > suggestions/help in advance. > > > > Bill Lambert > Endoxy Healthcare > 847-941-9206 > [EMAIL PROTECTED] > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > For Account Management (unsubscribe, get/change password, etc) Please go to: > http://lists.gnac.net/mailman/listinfo/firewalls > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls
