Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] Tarantella and FW-1

To: [email protected]
Subject: Re: [FW1] Tarantella and FW-1
From: Orlando Goza <[email protected]>
Date: Wed, 20 Dec 2000 07:18:53 -0800 (PST)
Sender: [email protected]

Hi Pete:

I think leaving the Tarantella server on the DMZ must
be "less insecure" than placing it on the internal
LAN. Supposing someone hacks into the Tarantella
server on the DMZ, from there he will be able to use
only the ports opened up for access to the application
servers. On the other hand, if the Tarantella server
sits on the internal LAN and someone hacks into it, he
will have full access to the internal LAN, unless you
add an additional layer of protection around it.
Please, correct me if I'm wrong. 

Thank you for your reply, Pete.

Orlando Goza

---------------------------------------------------
Hi Orlando,

I took a minute to look at the tarantella web page. 
You are right, option 3 is the obvious best solution. 
as for option 2 it looks like the tarantella server
needs full access to your network.  If it does, what
good does it do to leave it on the DMZ?

I've look at several different solutions for this kind
of thing for a Notes implemenation we did, and none of
them are as secure as using SecuRemote.  I did test
and implement one of the solutions, and I'm really not
happy with it.  The more I looked at it, the less I
liked it.

HTH,
Pete Goodridge
--- Orlando Goza <[email protected]> wrote:
> 
> 
> Hello dear firewallers:
> 
> Has anybody had any experience with Tarantella
> http://www.tarantella.com) and FW-1?
> 
> We are planning on installing a Tarantella server
> for giving remote users web-based access to internal
> applications.
> 
> Scenario:
> 
> FW 4.1 SP2 on NT 4.0, SP6a
> 3 NICs: Internal private LAN (NATTed), public DMZ,
> public Internet segment
> 
> Possible options:
> 
> 1) Place the Tarantella server on the internal LAN
> and
> open up the ports required for access by remote
> users
> from their browsers (web server port 80 and
> Tarantella
> ASAD port 3144)at the firewall.
> 
> 2) Place the Tarantella server on the DMZ and allow
> inbound access to it from Internet, allow the
> connections between the Tarantella server and the
> internal application servers through the ports
> required.
> 
> 3) Purchase VPN module and set up access to the
> internal Tarantella server through SecuRemote
> clients.
> 
> 
> I ruled out option 1 because of the insecurity
> associated with allowing direct inbound connections
> to
> the internal LAN. I am in favor of option 3 because
> I
> think it is the most secure one, but this solution
> is
> not as immediate as my manager would want,as we
> don't
> have a VPN module yet. Additionally, he also favors
> option 2 for not requiring the installation of VPN
> client software as option 3 does, a browser is all
> that is required.
> 
> How do options 2 and 3 compare in terms of security?
> what are the issues, risks involved with option 2?
> 
> I badly need your wise views to help me convince my
> manager that option 3, although less immediate, is
> the
> route we should go. 
> 
> I'm a newbie to the VPN stuff, so please excuse my
> inexperience.
> 
> I'll also very much appreciate any tips, hints,
> recommendations or any other ideas regarding the use
> of a Tarantella server with FW-1.
> 
> Thank you so much in advance for your valuable help.
> 
> Orlando Goza
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Shopping - Thousands of Stores. Millions of
> Products.
> http://shopping.yahoo.com/
> 
> 
>
================================================================================
>      To unsubscribe from this mailing list, please
> see the instructions at
>               
> http://www.checkpoint.com/services/mailing.html
>
================================================================================
> 
> 
>
================================================================================
>      To unsubscribe from this mailing list, please
> see the instructions at
>               
> http://www.checkpoint.com/services/mailing.html
>
================================================================================

__________________________________________________
Do You Yahoo!?
Yahoo! Shopping - Thousands of Stores. Millions of
Products.
http://shopping.yahoo.com/

__________________________________________________
Do You Yahoo!?
Yahoo! Shopping - Thousands of Stores. Millions of Products.
http://shopping.yahoo.com/

================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: Re: [FW1] Securemote Routing problem
Next by Date: [FW1] Problems with ICA-client, Securemote and NAT.
Previous by thread: [FW1] Tarantella and FW-1
Next by thread: Re: [FW1] Tarantella and FW-1
Index(es):
- Date
- Thread