I'm not sure your problem is just one of firewall placement.
If those home PCs can reach devices on the trusted network before
hitting your firewall, so can J. Random Script-Kidde. That's not
good.
There are two theories to remote access: (a) remote systems are
part of the untrusted network, but granted special access (which may
not offer you any protection if they get compromised and used as a
springboard) or (b) when the remote system is connected to the
trusted network, it is (virtually) inside the protected zone.
This (b) is why several current VPN client programs, when launched
on the remote machine, cut off all network traffic except that going
via the VPN tunnel to the trusted network, and all traffic to any
other destination goes through a gateway on the trusted network (if
one is provided). This disposes, fairly neatly, of the home network
(whether it's wireless is immaterial) or modem as an entree to the
trusted corporate network.
Note also that many current VPN clients have also made allowance
for NAT at the client network end; this used to be an issue.
WAN links typically provide less bandwidth -- at higher cost! --
than LAN links. Too much seamlessness between them is probably not
healthy.
David Gillett
On 4 Jun 2001, at 1:21, Abdulkareem Kusai wrote:
> It is easy to choose the location for a firewall. It goes between
> the trusted and untrusted networks. One reason our network
> engineers like ATM is it seamlessly connects LAN and WAN.
> End-to-end ATM seems to be Nirvana; and a firewall just breaks the
> dream. They are trying to convince me it is OK to connect an
> untrusted WAN to the Corporate LAN ATM switch, and let the PVC
> wander through several Corporate LAN ATM switches before
> terminating it on a firewall. I am trying to convince them the
> firewall should intercept the WAN traffic before it reaches the
> Corporate LAN ATM switches.
>
> Where ATM is used in long lines transmission, no one uses
> firewalls, mainly since there is usually not a security gradient.
> When a demonstratably insecure network (ADSL, RAS, etc.) connects
> to our Corporate LAN, there is a security gradient and I feel the
> untrusted traffic should go through the firewall before it wanders
> through several Corporate network ATM switches.
>
> Sure ATM PVCs are like dedicated lines, but ATM supports more than
> just our intended PVC. If a trusted and an untrusted ATM switch
> get compromised (how?) they could be configured to carry
> unintended traffic.
>
> Is it ok to let this untrusted traffic connect to and wander
> through our corporate network without a firewall? Comments are
> welcome.
>
> Untrusted systems can hack their way into the management port of
> the switches. All they have to do is compromise an inside host or
> two.
>
> The untrusted systems are not internet hosts; they are home
> computers with ADSL or Dial-Up access to the corporate network.
> The risk on the home systems is they may have answering modems
> with inadequate dial-in security (we don't control the user's home
> modem), or they may be on a home network (wireless?) that has a
> system we cannot see (through NAT) that has an answering modem.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
