>Has anyone considered basic network mechanisms such as routing
>restrictions and proxy servers as a way to keep public kiosks out of
>harm's way?
>
>
>Grouchy Karp <[email protected]> Department of Information Technology
Routers per se generally only work at layer 3 and cannot distinguish
different services such as httpd, telnet, etc. Screened subnet
architectures as a firewall technology could provide some of the
segmentation you wish. We prefer not to run a proxy server on our firewall
for security reasons. You could set up two servers, one outside your
firewall for the Internet public and one, that mirrors all or part of your
Internet server, on an inside subnet for your kiosks. You could configure
this subnet not to let any http traffic out, thus preventing people from
linking outside. If, however, you want to have some external links either
you have to mirror them to this subnet also or forget screening altogether.
You will need a third logical screened subnet for your staff so they can
use the web, e-mail, etc. This could start to run into real money if you
don't already have a multiple strand backbone that can be logically divided
into two internal subnets. It also requires a little fancy firewall
footwork, but I think today's products are now up to the task. Let me see
if I can map it out below:
Internet--------- Firewall-------Internal Web server subnet and kiosks
/Pub server |
|
------ Staff subnet
-Bill
--------------------------------------------------------------------------
| William K. Barnett, Ph.D. Email: [email protected] |
| Director, Interdepartmental Laboratories Tel: (212) 769-5499 |
| American Museum of Natural History |
| Central Park West at 79th Street |
| New York, NY 10024-5192; USA |
--------------------------------------------------------------------------
