Well... if I put the encryption box out to the DMZ... then several problems
might arise such as sniffing and as the firewall has nearly all ports closed
(also 135 to 139) the remote sites wouldn't be able to talk to our domain if
the encryption box would not come after the firewall. The IDS should log any
inproper traffic so I think this is not much of a problem.
Do you think this is acceptable then... or would you look into a 2 ring
firewall then?
Thanks in advance
Cheers
Boris Pavalec [QPB]
Network / System Engineer [MCSE]
Highend Computing Systems
Switzerland - Zuerich
http://www.nt-admin.net
[EMAIL PROTECTED]
-----Original Message-----
From: dlang [mailto:[EMAIL PROTECTED]]
Sent: Sonntag, 20. Juni 1999 14:42
To: 'firewalls'; 'ADMIN.MISC'
Subject: Firewall??!!
-----BEGIN PGP SIGNED MESSAGE-----
I would reverse the firewall and encryption box, unless you want to give
unlimited access between the sites (the encryption boxes will tunnel
through the firewalls)
Other then that I think you have the right idea.
David Lang
On Sun, 20 Jun 1999 [EMAIL PROTECTED] wrote:
> Date: Sun, 20 Jun 1999 14:43:22 +0200
> From: [EMAIL PROTECTED]
> To: [EMAIL PROTECTED], [EMAIL PROTECTED]
> Subject: Firewall??!!
>
> Ok guys/gals... now after all the nice hot-air discussions about NT vs
Uniks...
>
> ... can anybody tell me how I could protect a wireless LAN? *G*
>
> That's serious... we're looking into buying one of those wireless devices
which
> will handle somewhere between 2 and 10 Mbps (best case though)... to connect
a
> couple of remote offices.
>
> As far as I see I'm pretty cleartext through the air... and anybody with the
> right equipment could sniff the hell out of my traffic...
>
> So I guess something like this would be most sensible:
>
> One of my sites(main master site):
>
> [Main] [Encryp-] [ Fire ] [ Wire-]
> [ ]---[ tion ]---[ ]---[ less ]- - - T H I S - I S - A I R -
> [Site] [ box ] [ wall ] [device]
>
>
>
>
> [ WLAN ] [ Fire ] [Encryp-] [Customer]
> A I R - [ ]---[ ]---[ tion ]---[ ]
> [Device] [ wall ] [ box ] [ Site ]
>
>
>
> Well... hope it doesn't wrapp!!! ;-)
>
> Isn't that a bit too complicated? I mean it's great to have a free 2 - 10 Mb
> link to the customers (you pay somewhere around 14'000 sFr [1] monthly for a
2
> Mb link to the net) but having 3to4 boxes on every site is really not too
cool.
>
> Can anybody suggest any good Wireless LAN manufacturer? Any suggestions to
the
> scenario (yeah I know that most firewalls can encrypt traffic... this scheme
is
> just schmematic *G*). I had a look at Lucent... however... they didn't had
much
> pictures ;-)))
>
> Cheers
>
> Boris Pavalec [QPB]
> Network / System Engineer [MCSE]
> Highend Computing Systems
> Switzerland - Zuerich
>
> http://www.nt-admin.net
> [EMAIL PROTECTED]
>
>
>
> [1] Which is about 12'000$
>
>
"If users are made to understand that the system administrator's job is to
make computers run, and not to make them happy, they can, in fact, be made
happy most of the time. If users are allowed to believe that the system
administrator's job is to make them happy, they can, in fact, never be made
happy."
- -Paul Evans (as quoted by Barb Dijker in "Managing Support Staff", LISA '97)
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv
iQEVAwUBN21ReT7msCGEppcbAQEkHwf7BY4116Mgai8fykHQV16GokpmueCe7Ona
YcKq0T8ugiNGjqe7pBVNSKRZuGHk4ftaRCEColoB5C6eMFo8hz0vD5GIPJkDfYUM
8I67+lZmO5YFXxaoQvc/lsfzrlnB1A+nFjag9+X3PaFhK59mjTq/9FCoQMKzGk3G
dpe8nRBQMAXvcb5fWLEbsL2Uzb0izpjP+tDUg1dh6j3qBtIxxF+QBeoCbGuyybnO
FFZKlrVDY/MYt6u+xM16Lb9cg9QB1pEskpQnF38zY9B2KiL3OFqPUQVUO/5qlD/P
zIDGhYZo1/sPKZtVWnFuFzVgiG/X264IGILpzI0FPALM2wMypbGnWg==
=TTaM
-----END PGP SIGNATURE-----
WINMAIL.DAT
