At 11:25 AM 4/21/00 -0400, you wrote:
>For bigger corporate intranet gateways let me ask: Would it mitigate this
>risk (or be possible or practical) to set up SSH proxy service at the
>Internet gateway so that remote users use SSH across the Internet to a
>gateway host to authenticate then traverse the DMZ and firewall
>unencrypted so that whatever rules, application proxies, and auditing are
>implemented are performed in full force? I have supported similar
>configurations for Telnet and FTP proxy servers. Would this approach
>expose the SSH key files on the more vulnerable gateway host?
Or... set up an SSH server in a DMZ. Internal users ssh to this host, then
ssh out from there to where ever on the 'Net they need to go. Should solve
the immediate problem, and it would offer a two-step/intermediary approach
similar (in concept) to the TIS FWTK telnet and ftp proxies. The firewall
is out of the picture as far as hosting keys, passwords, etc. It's just
passing traffic.
Jon
-----------------------------------------------------------------
Jon Earle (613) 612-0946 (Cell)
HUB Computer Consulting Inc. (613) 830-1499 (Office)
http://www.hubcc.ca 1-888-353-7272 (Within Canada/US)
"God does not subtract from one's alloted time on Earth,
those hours spent flying." --Unknown
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
