NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Thoughts on external access to Intranet server



Heaven forbid using ACL's on the BAY's.

A. the Bays are currently maxed at memory utilization due to the BGP-4, and
I really don't want to play with that.
B. I have over 1000 users who will need access, a large part of whom change
on a weekly or monthly basis by the hundreds (temp workers) and it would be
hell to manage if at all feasible.

Regarding Tripwire. Can you give me more info re that.

When you say they should reside behind the Firewall, do you refer to in the
internal net or the DMZ or what exactly ?

My main concern still remains the hacking of the internall net via the
Intranet server and not the Intranet server itself.

Thanks for the ideas tho.

Mike

> -----Original Message-----
> From:	CryptoTech [SMTP:[email protected]]
> Sent:	à ðåáîáø 26 2000 22:33
> To:	Mike Glassman - Admin
> Subject:	Re: [FW1] Thoughts on external access to Intranet server
> 
> Have you considered having the Firewall manage the access list on the bay,
> or even
> activating the inspect module on the Bay router?
> 
> I would suggest running tripwire on the web servers, which should reside
> behind the
> firewall with some form of IDS monitoring the segment.  You could run an
> acl on the
> Bay if you like, but I have a few sites that have been locked down in the
> manner I
> suggested and they have not been hacked to date, despite quite a few
> attempts.
> 
> HTH,
> CryptoTech
> 
> Mike Glassman - Admin wrote:
> 
> > All,
> >
> > The folks here have decided that an Intranet server will be a good thing
> > (finally).
> >
> > The issue is, that they also want access to this server from outside,
> which
> > in itself is not an issue too much. Where it becomes a bit more sticky,
> is
> > that they wish to allow externall companies access to specific issues on
> > this server, and via them, to other servers in our network (NT, Netware,
> > Unix, AS400 and so on). As well, they want access for users of ours from
> > outside inside with once again, the ability to access and change data on
> > internall servers.
> >
> > Now I could simply allow http access via the firewall with
> authentication on
> > both the FW and the Intranet server, but that's about as secure as
> leaving
> > 100$'s laying around on the floor for all to see and go for.
> >
> > My current setup is as follows :
> >
> > Internet
> >     |
> > Router (double with BGP4 to two ISP's)
> >     |
> > FireWall----DMZ (there's more, but this is all that matters right now)
> >     |
> > Local Network (servers and users)
> >
> > I was thinking that perhaps an additional machine or machines on the
> DMZ,
> > setup as reverse proxies, or perhaps HTTP routering servers, which would
> get
> > the externall requests and only this server (or servers) would then be
> > allowed to forward and receive data to and from the internall Intranter
> > server.
> >
> > Again, the logic is in there, but I'd really appreciate some direct help
> on
> > how to best set this up.
> >
> > I can't add a second FireWall, and the routers on the Internet side are
> Bay
> > (so not easy to setup access lists) and already run BGP4 so I'd rather
> not
> > add anything more to them which may cause them to falter in any way.
> >
> > Ideas and thoughts are welcomed.
> >
> > Please also forward a copy to my email address direct as well as to the
> > group if you can of any thoughts you may have.
> >
> > Thanks Ahead,
> >
> > Mike Glassman
> > System & Security Admin
> > Israeli Airports Authority
> > Ben-Gurion Airport
> > http://www.ben-gurion-airport.co.il
> >
> > Tel : 972-3-9710785
> > Fax : 972-3-9710939
> > Email : [email protected]
> >
> > Usage of this email address or any email address at iaa.gov.il for the
> > purpose of sales pitches, SPAM or any other such unwanted garbage, is
> > illegal, and any person, whether corporate or alone doing so, will be
> > prosecuted to the fullest possible extent.
> >
> >
> ==========================================================================
> ======
> >      To unsubscribe from this mailing list, please see the instructions
> at
> >                http://www.checkpoint.com/services/mailing.html
> >
> ==========================================================================
> ======


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.