Internet -> Inter/IntraNet server with FW1 SecureServer Multihomed ->
intranet with an RealSecure probe on the outside and tripwire running
on the box. If the web software is properly configured, you should
be almost totally safe.....
Heaven forbid using ACL's on the BAY's.
A. the Bays are currently maxed at memory utilization due to the BGP-4,
and
I really don't want to play with that.
B. I have over 1000 users who will need access, a large part of whom
change
on a weekly or monthly basis by the hundreds (temp workers) and it
would be
hell to manage if at all feasible.
Regarding Tripwire. Can you give me more info re that.
When you say they should reside behind the Firewall, do you refer to
in the
internal net or the DMZ or what exactly ?
My main concern still remains the hacking of the internall net via the
Intranet server and not the Intranet server itself.
Thanks for the ideas tho.
Mike
> -----Original Message-----
> From: CryptoTech [SMTP:[email protected]]
> Sent: à ðåáîáø 26 2000
22:33
> To: Mike Glassman - Admin
> Subject: Re: [FW1] Thoughts on external
access to Intranet server
>
> Have you considered having the Firewall manage the access list on
the bay,
> or even
> activating the inspect module on the Bay router?
>
> I would suggest running tripwire on the web servers, which should
reside
> behind the
> firewall with some form of IDS monitoring the segment. You
could run an
> acl on the
> Bay if you like, but I have a few sites that have been locked down
in the
> manner I
> suggested and they have not been hacked to date, despite quite a
few
> attempts.
>
> HTH,
> CryptoTech
>
> Mike Glassman - Admin wrote:
>
> > All,
> >
> > The folks here have decided that an Intranet server will be a good
thing
> > (finally).
> >
> > The issue is, that they also want access to this server from outside,
> which
> > in itself is not an issue too much. Where it becomes a bit more
sticky,
> is
> > that they wish to allow externall companies access to specific
issues on
> > this server, and via them, to other servers in our network (NT,
Netware,
> > Unix, AS400 and so on). As well, they want access for users of
ours from
> > outside inside with once again, the ability to access and change
data on
> > internall servers.
> >
> > Now I could simply allow http access via the firewall with
> authentication on
> > both the FW and the Intranet server, but that's about as secure
as
> leaving
> > 100$'s laying around on the floor for all to see and go for.
> >
> > My current setup is as follows :
> >
> > Internet
> > |
> > Router (double with BGP4 to two ISP's)
> > |
> > FireWall----DMZ (there's more, but this is all that matters right
now)
> > |
> > Local Network (servers and users)
> >
> > I was thinking that perhaps an additional machine or machines on
the
> DMZ,
> > setup as reverse proxies, or perhaps HTTP routering servers, which
would
> get
> > the externall requests and only this server (or servers) would
then be
> > allowed to forward and receive data to and from the internall Intranter
> > server.
> >
> > Again, the logic is in there, but I'd really appreciate some direct
help
> on
> > how to best set this up.
> >
> > I can't add a second FireWall, and the routers on the Internet
side are
> Bay
> > (so not easy to setup access lists) and already run BGP4 so I'd
rather
> not
> > add anything more to them which may cause them to falter in any
way.
> >
> > Ideas and thoughts are welcomed.
> >
> > Please also forward a copy to my email address direct as well as
to the
> > group if you can of any thoughts you may have.
> >
> > Thanks Ahead,
> >
> > Mike Glassman
> > System & Security Admin
> > Israeli Airports Authority
> > Ben-Gurion Airport
> > http://www.ben-gurion-airport.co.il
> >
> > Tel : 972-3-9710785
> > Fax : 972-3-9710939
> > Email : [email protected]
> >
> > Usage of this email address or any email address at iaa.gov.il
for the
> > purpose of sales pitches, SPAM or any other such unwanted garbage,
is
> > illegal, and any person, whether corporate or alone doing so, will
be
> > prosecuted to the fullest possible extent.
> >
> >
> ==========================================================================
> ======
> > To unsubscribe from this mailing
list, please see the instructions
> at
> >
http://www.checkpoint.com/services/mailing.html
> >
> ==========================================================================
> ======