1999-09-29-07:14:20 Dirk.Nerling:
> we have some users working outside our net which need to access the intranet
> server from the internet (and have dynamic IP addresses). We use the FWTK on
> the firewall and have a RFC 1597 IP net. Does anybody of you have an idea
> how to install a secure solution? How do YOU play with such a configuration?
I'd configure plug-gw to let them ssh to a rendesvous machine inside the
firewall, after which they could access whatever other services they need from
other machines inside.
But only after I ensured that the originating machines they used to come in
were themselves tightly secured. If I didn't have complete control over those
machines, I'd probably rig a logwatcher to keep an eye out for incoming
connections, and whenever it sees one, portscan the originating host; if it
shows up nasty, pull the plug, adjust the config to lock 'em out, and notify
the admin so they can straighten the user out.
If I were slightly less paranoid the one change I might make is instead of
plugging through to a springboard box, just run an sshd right on the firewall
and let 'em have unprivileged logins there. That'd depend on the size of the
company and the size of the gap between the users' expertise and the security
called for by policy. But I wouldn't drop the backscan-and-kill; if you let
someone tunnel into your secure net from a badly insecured machine, your
secured net isn't any more.
-Bennett
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
