A new category of products - cyberwalls, that performs very granular network
access control and intrusion prevention on the actual servers - can
eliminate your concern, since a rule can be put on the server defining
combinations of in/out services (ports) and IP addresses and would hence
eliminate back-end connections by someone accessing the remote diagnosed (or
managed) server.
If you like more info - pls send me a mail off the thread.
Thanx
Avi
Network-1 Security Solutions, Inc.
"Securing e-Business Networks"
> -----Original Message-----
> From: /o=citicorp/ou=DOMDI/cn=Recipients/cn=dmarkle On Behalf Of David
> Markle
> Sent: Thursday, July 08, 1999 8:51 AM
> To: 'jaeger'; 'Firewalls'; 'ruegamer'
> Subject: RE: Subject: Remote diagnostic security
>
> Good points. Additionally, you can use dialer call back as another layer
> of protection.
>
> -----Original Message-----
> From: jaeger [SMTP:[EMAIL PROTECTED]]
> Sent: Thursday, July 08, 1999 5:56 AM
> To: Firewalls; ruegamer
> Cc: jaeger
> Subject: RE: Subject: Remote diagnostic security
>
> we recommend the following approach to this wide spread problem:
>
> put a RAS Server or any other remote access device in the DMZ.
> Authenticate remote users on the firewall. Establish a rule set on
> the
> firewall that limits remote users access to only those systems
> really
> needed. Sounds to good to be true? Right, you still have the problem
> of
> authenticated remote users misusing the servers they have access to
> as a
> jump platform. To prevent this you should have an IDS in place, that
> monitors remote users activity and enforces a security policy on the
> server itself. You need a host based IDS to achieve that level of
> security.
> Alternatively you could have more than one DMZ or a second firewall,
> where all your servers
> are sitting behind the 1st firewall, but cannot be misused as a jump
> platform because of the 2nd firewall.
>
> Karl Jaeger
> BDG
>
> Peter wrote:
>
> >Date: Tue, 6 Jul 1999 10:53:40 +0200
> >From: [EMAIL PROTECTED]
> >Subject: Remote diagnostic security
> >
> >Hello,
> >
> >has anyone a suggestion how I can handle remote diagnostic access
> to
> >servers in our LAN. My first thought was to put the server which
> need
> >remote diagnostic access in the DMZ. But in this case I have to put
> all
> >my servers in the DMZ sooner or later. The remote diagnostic user
> >shouldn't get any access to other servers on the LAN. Yes I know I
> >asking for something impossible. But, if anyone has a solution
> please
> >let me know. Thanks in advance.
> >
> >Peter Ruegamer
> >Network Administrator
> >MTU Friedrichshafen
> << File: jaeger.vcf >>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
