What Jim wants is the reverse. I think he wants to be able to go into
someone else's network and manage the devices from outside. He wants the
real time trace back of the source IP addresses. It can be done by creating
tunnels without address hiding. If the outside entities can identify the
types of services and ports they need to use, then the tunnels can be
filtered to make it a bit more safer. We had this kind of situation, but the
outside entities cannot identify what services they require to make their
management functions work. So we ended up moving them or in the process of
moving them to the out side. If the outside entities have some respect for
other people's network security they need to provide the required
information so that both parties can accomplish their missions.
Than
-----Original Message-----
From: Vik Bajaj [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, January 13, 1999 9:26 PM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: RE: Address hiding
On 13-Jan-99 [EMAIL PROTECTED] wrote:
> OK, here's one:
>
> You'd like to use the "address hiding" feature that
firewalls provide for
> obvious reasons, but at the same time, there's a
requirement for an external
> entity to monitor/track activity based on IP address. In
other words,
> tracing a connection back to the outside interface of one
of your firewalls
> is unacceptable --- we need to identify the source address
inside the
> firewall as well. Crazy as it sounds, is this at all
possible?
Retrospective matching by reconcilliation is quite easy with
available
functionality (i.e. keep logs on the internal interface and
reconcile them
with logs from the external entity); that coupled with
periodic exchange of
logs with the "external entity" over a trusted channel could
presumably fill
your requirements. However, this obviously implies that you
trust the external
entity with the details of your internal network.
I have tried a hacked up identd w/MD5 to do a one-time hash
in a masqueraded
environment. The per-connection overhead was ridiculous. I
haven't
investigated other options, but perhaps it is possible. I'd
sooner wait to
switch to the next protocol.
--Vik
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
