Joel A. Matz wrote:
> Ed Doolittle wrote:
>> On Mon, 18 Jan 1999, TGAPE! wrote:
>>> Ed Doolittle wrote:
>
> stuff I have yet to grok removed.
It does get hairy, doesn't it? Sometimes, I think it seems like all the
security stuff is intended just to confuse us. Then I remember, it is.
>> Here's the best answer to the original question: get your employer to act
>> as your ISP as a job benefit. :-)
>>
>> Ed
>>
>> --
>> Ed Doolittle <mailto:[EMAIL PROTECTED]>
>> "Everything we do, we do for a reason." -- Peter O'Chiese
>
> I'm still working on this, I appreciate your's & tgape's input. still
> working on the routing tables & scripts. Unfortuately I only get an
> hour or two to work on this stuff on the weekends.
It wasn't long ago that that was the case with my home box. However, I
have no girlfriend, no wife, no kids, and fairly little else to soak up
enormous amounts of time long-term. Still, apartment cleaning is
starting to ask that I start forsaking the linux box again. On the
bright side, 2.2.0 is about finished, so there's less need. (Not that I
found anything really critical...)
> The VPN issue is fuzzy, as we are an NT shop at work &, due to our
> financial services core, way frigging paranoid about net access. I
> gotta curently go through 2 proxies and a bunch of WINS crud at this
> point to get out.
IMHO, any firewall set up as a non-transparent firewall has one possibly
fatal flaw - those behind the firewall have to know the location
(netwise) of the firewall. This is OK, if the firewall passes
everything going out. Otherwise, this tells them where they should
direct their attacks if they choose to do so. A transparent proxy
doesn't show up as anything special, unless it also sits at the boundary
between private address space and internet address space.
I've yet to figure out an advantage of having two proxies, unless it's
to restrict people internally - in every case I've heard of, someone
capable of breaking through the first will be able to break through the
second in short order. I have seen a triple-machine setup, which
allowed for a de-militarized zone to be accessible from both sides, and
some other stuff, but unless misconfigured, it would only appear as a
single machine (even as far as traceroute is concerned) to anyone
outside it.
(Summary: that sounds broken)
> When we get to VPN I assume it'll be more hassel than you can shake a
> horny toad lizard at...
Depends. Looking at the documentation that I've yet to have the time to
follow, ssh is less than the maximum amount of hassle you can shake a
horny toad lizard at, especially after configured. Cipe also claims to
be relatively easy to deal with.
> And they wont support non MS platforms.
Well, in that case, unless you can convince them that Linux is a safer
answer (and in today's environment, that is probably more feasible than
ever before - Virtually nobody contends that Linux is shaky in the
server area; even Microsoft claims to be scared fecesless.), or you can
convince them to let you support it 'on your own time', you're SOL. Our
company has tried to find VPN solutions that run on NT and will handle
unix clients, to no avail.
However, for us, this suggests that there will soon be a Linux box
running alongside the NT VPN box, to handle the other part of the load.
We have no such mandate about not running non-MS stuff. Admittedly,
over half the company is non-MS oriented; it shows Microsoft's monopoly
that we are required to have the ability to run MS. (Fortunately, it
doesn't seem to hurt my position with my managers that I show I have the
ability to run it, but in general refuse to do so - admittedly, my
managers are old unix hacks as well.)
Ed
-
To unsubscribe from this list: send the line "unsubscribe linux-diald" in
the body of a message to [EMAIL PROTECTED]
