Putting it outside the firewall negates the whole purpose of the firewall.
It's only real purpose is to protect the accounting data. The network's only
protected data is the accounting data.
I don't want to FTP the data, I want to use it from the inside and the
outside simultaneously.
Besides, there will not be a machine outside the firewall. The firewall will
NAT the internet feed.
Everyone has jumped on me for putting data on the firewall, but no-one has
really given me a concrete example of a better way to go. I need to stay
with Linux open source solutions. My optimal solution might be to use a SSH
tunnel to the data, wherever on the LAN it is. However, I don't actually
know how to do that with a Windows client and a Linux firewall.
Chris Mason
Box 340, The Valley, Anguilla, British West Indies
Tel: 264 497 5670 Fax: 264 497 8463
USA Fax (561) 382-7771
Take a virtual tour of the island
http://net.ai/ The Anguilla Guide
Find out more about NetConcepts
www.netconcepts.ai
bwz*mq
-----Original Message-----
From: Ron DuFresne [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 26, 2000 3:05 PM
To: J Weismann
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: Looking for firewall solution advice
because, as others have pointed out, having it inside opens holes into
your network, and securing ftp is not an easy chore, look through the
archives of bugtraq for the recent ftp exploits and the history of ftp
vulnerabilites. A hardened host on the DMz, backed frequently is the way
to go with a task such as this. If the box was only for use by those
inside on the main network, then ya ut it there and watch it, but, since
it's not and has to be accessible across the internet, ya put it where
it;s compromise can do you the least harm. The key here is a hardened
host, screened or perhaps itself firewalled to make it;s vulnerability as
small as possible.
Thanks,
Ron DuFresne
On Wed, 26 Jul 2000, J Weismann wrote:
> Now why would you have it outside the firewall? By this I mean
> Internet->files->firewall->LAN. why not put it inside the protection of
the
> firewall so the files can be protected? IE Internet->firewall->files->LAN?
>
> that would be a much more secure solution and not leave those files
> available to all who can hack the machine.
>
>
> >From: Ron DuFresne <[EMAIL PROTECTED]>
> >To: J Weismann <[EMAIL PROTECTED]>
> >CC: [EMAIL PROTECTED], [EMAIL PROTECTED]
> >Subject: Re: Looking for firewall solution advice
> >Date: Wed, 26 Jul 2000 13:00:33 -0500 (CDT)
> >
> >
> >never on the firewall, leave it outside and harden the host.
> >
> >Thanks,
> >
> >Ron DuFresne
> >
> >On Wed, 26 Jul 2000, J Weismann wrote:
> >
> > > I'll disagree with this for one reason. Firewall-GOOD! outside
firewall
> >file
> > > server-BAD!!! put it on the inside of the firewall and have the user's
> > > tunnell or loginto the firewall to get access to the files. You leave
> >that
> > > puppy out there on friday and by monday your bandwith is at 100% usage
> >and
> > > wondering who setup a Warez FTP server on your file server.
> > >
> > > Guard every file like it was your own......
> > >
> > >
> > > >From: Ron DuFresne <[EMAIL PROTECTED]>
> > > >To: Chris Mason <[EMAIL PROTECTED]>
> > > >CC: [EMAIL PROTECTED]
> > > >Subject: Re: Looking for firewall solution advice
> > > >Date: Wed, 26 Jul 2000 10:31:05 -0500 (CDT)
> > > >
> > > >
> > > >I'd rethink the solution and advice under consideration and put the
> >file
> > > >server on a totally different box, most likely on the outside of the
> > > >firewall on the dmz perhaps.
> > > >
> > > >Thanks,
> > > >
> > > >Ron DuFresne
> > > >
> > > >On Wed, 26 Jul 2000, Chris Mason wrote:
> > > >
> > > > > I'm advising a company on setting up a network with remote access.
> >The
> > > > > network will be windows machines with a Linux firewall configured
> >with
> > > > > PMfirewall. There will be a single IP wavelan internet feed to the
> > > >firewall
> > > > > which will be masq'ed for the internal network which will use
> > > >non-routable
> > > > > IPs.
> > > > > The firewall machine will also be a fileserver for accounting
data.
> >The
> > > > > client would like to be able to access the accounting data on the
> > > >firewall
> > > > > from outside using her laptop connected to a dial-up account
> >somewhere
> > > >in
> > > > > the world. I would like to put in place a VPN solution for her.
> > > > > Any suggestions?
> > > > >
> > > > >
> > > > > Chris Mason
> > > > > Box 340, The Valley, Anguilla, British West Indies
> > > > > Tel: 264 497 5670 Fax: 264 497 8463
> > > > > USA Fax (561) 382-7771
> > > > > Take a virtual tour of the island
> > > > > http://net.ai/ The Anguilla Guide
> > > > > Find out more about NetConcepts
> > > > > www.netconcepts.ai
> > > > > bwz*mq
> > > > >
> > > > >
> > > > > -
> > > > > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > > > > "unsubscribe firewalls" in the body of the message.]
> > > > >
> > > >
> > > >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > > >"Cutting the space budget really restores my faith in humanity. It
> > > >eliminates dreams, goals, and ideals and lets us get straight to the
> > > >business of hate, debauchery, and self-annihilation." -- Johnny Hart
> > > > ***testing, only testing, and damn good at it too!***
> > > >
> > > >OK, so you're a Ph.D. Just don't touch anything.
> > > >
> > > >-
> > > >[To unsubscribe, send mail to [EMAIL PROTECTED] with
> > > >"unsubscribe firewalls" in the body of the message.]
> > >
> > >
________________________________________________________________________
> > > Get Your Private, Free E-mail from MSN Hotmail at
http://www.hotmail.com
> > >
> > >
> >
> >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >"Cutting the space budget really restores my faith in humanity. It
> >eliminates dreams, goals, and ideals and lets us get straight to the
> >business of hate, debauchery, and self-annihilation." -- Johnny Hart
> > ***testing, only testing, and damn good at it too!***
> >
> >OK, so you're a Ph.D. Just don't touch anything.
> >
>
> ________________________________________________________________________
> Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
