Ivan,
IMHO, the best solutions for this are:
1) SecuRemote VPN from them to you, specifically limiting the servers and
protocols available to them
2) Drop a Citrix server in your DMZ, and use Secure-ICA for it's transport.
Then allow the vendor access to the Citrix box, and the Citrix box
specific access tothe servers (Citrix WinFrame/MetaFrame licenses can be
expensive though)
3) Scrap the Internet idea and drop a dedicated circuit between the two
companies.
SSH is an "okay" alternative, but you would need to be VERY careful you
don't open that access to/from unneeded machines. There are several
intrinsic issues with SSH, depending on the version you use, which can
create exposures. It's also succeptable to man-in-the-middle attacks
(which normally are not that big of a deal, but Dug Song has made it very
easy to exploit now, with his recent release of Dsniff 2.3)
VNC is totally un-acceptable. It's authentication method is weak, and it
is trivial to decode it's "encryption".
Just my .02. Hope it's helpful,
Jason
At 12:17 PM 1/21/01 -0500, Ivan Fox wrote:
>
>There are a number of unix-based and NT-based application servers on the
>internal network. They are so special that the vendor needs to access these
>servers from the Internet to trouble-shoot and support, when needed.
>
>The following are proposed "solutions", your comments/suggestions are
>appreciated.
>
>1) SSH for Unix-based servers
>
>2) VNC for NT-based servers
>
>3) VPN for both Unix and NT servers.
>
>In these cases, we need to drill a number of holes on the firewall to allow
>port 22, 5900 or/and 50 to pass through. We want to "vendor" to be
>authenticated by Check Point Firewall-1 before allowing them to come in and
>then access ONLY those servers.
>
>The rule would be
>
>src dst service action
>vendor ip encryption-domain-x 50 client-auth
>consists of ip of
> unix-nt servers
>
>Would such "design" post any security risk to us?
>
>Any comments/suggestions are appreciated.
>
>Dave
>
>
>
>
>===========================================================================
=====
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
>===========================================================================
=====
>
>
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
