mmm. we don't need access to these servers externally so I'm inclined to
stop this access through firewall to the proxy (in dmz) and let the users
bypass the proxy for these servers. I would opt for securemote if I need
access remotely to them.
I have now implemented the address spoofing feature of fw-1 so only
non-other-interfaces addresses are allowed on the external interface. I
remain worried, however, about this service and wonder if there are any
other ways of locking it down - for example could I define this rule (access
to the proxy server on non-standard http and ssl ports) with a condition
that it can only be accessed via the internal interface (or even all
excluding the external one)?
Is it possible?
regards
e
>From: Mike Glassman - Admin <[EMAIL PROTECTED]>
>To: "'Eric Globe'" <[EMAIL PROTECTED]>
>CC: "'fw-1 listserv'" <[EMAIL PROTECTED]>
>Subject: RE: [FW1] Asymmetric firewall!
>Date: Tue, 4 Jul 2000 07:22:24 +0200
>
>The answer is yes, you can be address spoofed and access can be gained.
>
>A more secure connection can be utilized by using SecureRemote or some form
>of VPN which allows access specifically.
>
>I use this with no proxy to access the servers we allow access to directly
>(NAT'd addresses etc).
>
>Mike
>
> > -----Original Message-----
> > From: Eric Globe [SMTP:[EMAIL PROTECTED]]
> > Sent: a eaie 03 2000 15:20
> > To: [EMAIL PROTECTED]
> > Subject: [FW1] Asymmetric firewall!
> >
> >
> > I hope this isn't blindingly obvious but I have a squid proxy and cache
> > server in a dmz and it allows access to a few netware servers that can
>be
> > controlled remotely from a browser (using non-standard http and https
> > ports.
> > I haven't, as yet, implemented the ip spoofing feature of fw-1 (cos it
> > hampered some ssh services we need) and I want to know how to ensure
>that
> > access to the squid (and hence netware servers) can be done from outside
> > the
> > firewall.
> >
> > The rules for squid are ftp, http (80), https allow from out to in and
> > allow
> > access to squid on our non-standard http port from inside.
> >
> > For control of netware we have (for example) http on port xxx4 and https
> > on
> > port xxx7 so the rule is internal_net_object to squid on those ports,
> > allow
> > and log. What if someone address spoofed us, could they access squid and
> > the
> > netware servers or would we need to have the addresses of the netware
> > servers NAT'd to leagal internet addresses? or am I just paranoid?
> > Sometimes
> > it's hard to be as inspired and resourceful as a black-hatted
>individual!
> >
> > regards
> >
> > e
> > ________________________________________________________________________
> > Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
> >
> >
> >
> >
>==========================================================================
> > ======
> > To unsubscribe from this mailing list, please see the instructions
>at
> > http://www.checkpoint.com/services/mailing.html
> >
>==========================================================================
> > ======
>
>
>================================================================================
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
>================================================================================
________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
