> A new category of products - cyberwalls, that performs very granular
> network access control and intrusion prevention on the actual servers -
> can eliminate your concern, since a rule can be put on the server defining
> combinations of in/out services (ports) and IP addresses and would hence
> eliminate back-end connections by someone accessing the remote diagnosed
> (or managed) server.
>
> If you like more info - pls send me a mail off the thread.
>
> Thanx
>
> Avi
>
> Network-1 Security Solutions, Inc.
> "Securing e-Business Networks"
>
> -----Original Message-----
> From: /o=citicorp/ou=DOMDI/cn=Recipients/cn=dmarkle On Behalf Of
> David Markle
> Sent: Thursday, July 08, 1999 8:51 AM
> To: 'jaeger'; 'Firewalls'; 'ruegamer'
> Subject: RE: Subject: Remote diagnostic security
>
> Good points. Additionally, you can use dialer call back as another
> layer of protection.
>
> -----Original Message-----
> From: jaeger [SMTP:[EMAIL PROTECTED]]
> Sent: Thursday, July 08, 1999 5:56 AM
> To: Firewalls; ruegamer
> Cc: jaeger
> Subject: RE: Subject: Remote diagnostic security
>
> we recommend the following approach to this wide spread
> problem:
>
> put a RAS Server or any other remote access device in the
> DMZ.
> Authenticate remote users on the firewall. Establish a rule
> set on the
> firewall that limits remote users access to only those
> systems really
> needed. Sounds to good to be true? Right, you still have the
> problem of
> authenticated remote users misusing the servers they have
> access to as a
> jump platform. To prevent this you should have an IDS in
> place, that
> monitors remote users activity and enforces a security
> policy on the
> server itself. You need a host based IDS to achieve that
> level of
> security.
> Alternatively you could have more than one DMZ or a second
> firewall,
> where all your servers
> are sitting behind the 1st firewall, but cannot be misused
> as a jump
> platform because of the 2nd firewall.
>
> Karl Jaeger
> BDG
>
> Peter wrote:
>
> >Date: Tue, 6 Jul 1999 10:53:40 +0200
> >From: [EMAIL PROTECTED]
> >Subject: Remote diagnostic security
> >
> >Hello,
> >
> >has anyone a suggestion how I can handle remote diagnostic
> access to
> >servers in our LAN. My first thought was to put the server
> which need
> >remote diagnostic access in the DMZ. But in this case I
> have to put all
> >my servers in the DMZ sooner or later. The remote
> diagnostic user
> >shouldn't get any access to other servers on the LAN. Yes I
> know I
> >asking for something impossible. But, if anyone has a
> solution please
> >let me know. Thanks in advance.
> >
> >Peter Ruegamer
> >Network Administrator
> >MTU Friedrichshafen
> << File: jaeger.vcf >>
application/ms-tnef
