Good points. Additionally, you can use dialer call back as another layer of
protection.
-----Original Message-----
From: jaeger [SMTP:[EMAIL PROTECTED]]
Sent: Thursday, July 08, 1999 5:56 AM
To: Firewalls; ruegamer
Cc: jaeger
Subject: RE: Subject: Remote diagnostic security
we recommend the following approach to this wide spread problem:
put a RAS Server or any other remote access device in the DMZ.
Authenticate remote users on the firewall. Establish a rule set on the
firewall that limits remote users access to only those systems really
needed. Sounds to good to be true? Right, you still have the problem of
authenticated remote users misusing the servers they have access to as a
jump platform. To prevent this you should have an IDS in place, that
monitors remote users activity and enforces a security policy on the
server itself. You need a host based IDS to achieve that level of
security.
Alternatively you could have more than one DMZ or a second firewall,
where all your servers
are sitting behind the 1st firewall, but cannot be misused as a jump
platform because of the 2nd firewall.
Karl Jaeger
BDG
Peter wrote:
>Date: Tue, 6 Jul 1999 10:53:40 +0200
>From: [EMAIL PROTECTED]
>Subject: Remote diagnostic security
>
>Hello,
>
>has anyone a suggestion how I can handle remote diagnostic access to
>servers in our LAN. My first thought was to put the server which need
>remote diagnostic access in the DMZ. But in this case I have to put all
>my servers in the DMZ sooner or later. The remote diagnostic user
>shouldn't get any access to other servers on the LAN. Yes I know I
>asking for something impossible. But, if anyone has a solution please
>let me know. Thanks in advance.
>
>Peter Ruegamer
>Network Administrator
>MTU Friedrichshafen
<< File: jaeger.vcf >>
application/ms-tnef
