1999-03-14-19:27:37 meb:
> I work for a company with both Internet and extranet (VAN, frame relay,
> and leased line) connectivity to important partners and customers. Some of
> these connections utilize hosts maintained outside a state-based packet
> filter firewall. The external servers are fairly common (FTP, reverse
> proxy, web, SMTP, DNS, etc.) and run on both NT and UNIX.
>
> I'm looking for documentation on how to most securely perform adequate
> remote administration and monitoring functions on these external hosts. We
> have requirements for traffic initiated internally and externally (i.e.,
> access for internal users to place data on external hosts for customer
> pick-up, and access for external security software to send traps to an
> internal server when a change occurs to important configuration data).
Well, for the outbound connectivity, I'd recommend ssh for the Unix systems.
As the vendors of ssh seem to be en route to completely closing their
implementation down, I'd probably seriously consider going with lsh[1,2]; at
least, give it a nice long looking over, see how you like it, as it may be
your choice before much longer.
Won't comment on the NT systems.
As for the incoming alerts and whoosits, I'd see how far I could get basing
them on email. A trap generator could send an alert to user@[ip.addr.on.fw] to
avoid DNS and MX lookups; as long as the routing of the intervening network
hasn't been compromised the message should end up at the Right Place, and
promptly. And the remote machine could use ssmtp[3,4] as its smtp client;
sending email doesn't require a sendwhale. Naturally you'll need a
well-secured smtp server on your firewall, but that's something most people
need anyway. I'd tend to recommend qmail[5] or Postfix[6], though
smap/smapd[7] with sendmail[8] is widely used. There's also smtpd[9].
If you can't base it on email, then you are liable to have a real problem,
unless you are _sure_ that these outside machines are truly clamped down tight
as can be --- which you probably aren't. You don't want any more liberal
inbound tunnel available to these machines unless you're sure they cannot be
compromised. And you aren't sure of that.
-Bennett
[1] <URL:ftp://ftp.lysator.liu.se/pub/security/lsh>
[2] <URL:http://www.net.lut.ac.uk/psst/>
[3] <URL:ftp://ftp.cdrom.com/pub/linux/sunsite/system/mail/mta/>
[4] <URL:ftp://ftp.cdrom.com/pub/linux/debian/dists/slink/main/source/mail/>
[5] <URL:http://www.qmail.org/>
[6] <URL:http://www.postfix.org/>
[7] <URL:http://www.fwtk.org/>
[8] <URL:http://www.sendmail.org/>
[9] <URL:http://www.obtuse.com/>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
