Specific recommendation: DON'T ALLOW INBOUND TELNET AND FTP, they both use
clear text passwords. Crackers WILL find them, have no doubt. If you have
to allow inbound, at least force them to use ssh instead of telnet. ssh
encrypts the data stream reasonably well. For ftp, I'd put a server in
front of your firewall, or better yet on a service segment. People can ftp
from the internet to the firewall, and other people can ftp from inside to
the ftp server. In that way there is no continous connection from the
outside all the way in. If you allow anonymous ftp, then have a cron
process sweep through and delete files over a day or so old in the ftp
directory. Otherwise you risk becoming a warz depot (people dropping off
cracked games and programs for others to fetch).
On Tuesday, April 04, 2000 10:23 AM, Laura Usakowski
[SMTP:[EMAIL PROTECTED]] wrote:
> Attention Firewalls Group.
>
> As one part of our security plan, we have implemented a Raptor
> firewall between the Internet (External network) and the campus
> networks. The campus networks include a DMZ zone (mail
> servers, web servers, etc.) and an Internal network (campus-only
> servers (Linux) and file servers (NetWare 5), Intranet web servers,
> etc.).
>
> We have a proposal up for discussion. I would like opinions on the
> security implications.
>
> Proposal:
>
> The need is to provide access to an internal campus Unix server
> from the Internet. The required access would be telnet and ftp.
>
> This access would be provided through the firewall. We would
> assign an IP address on the external network. Our firewall would
> provide a virtual connection to the internal Unix server (private class
> A) address. The Unix server has a dial-out only modem/phone line
> installed.
>
> What are the _specific_ security concerns with this proposal? Are
> there any risks to other servers on the internal network? Are there
> any recommendations or alternatives on how to implement this
> type of access while minimizing the security risks. Does it matter
> on the firewall vendor we have? Does it matter that we have a
> modem installed in the server?
>
>
> ------------------------------
> Laura Usakowski, Network Administrator
> Aquinas College, Information Technology & Services
> 1607 Robinson RD SE, Grand Rapids MI 49506 USA
> http://www.aquinas.edu, 616-459-8281 x3729
> [EMAIL PROTECTED]
> Personal e-mail: [EMAIL PROTECTED]
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
*****************************************************************************
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized.
If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter.
*****************************************************************************
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
