NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] Tarantella and FW-1



Orlando,

If you access the Tarantella server only though
SecuRemote than you are better off having it on the
Internal LAN, where it can will only be access by
people who are authorized.  

If you are going to leave open to anyone on the
Internet and trust the Tarantella Security Pack, then
leave it in the DMZ.  It just seems that if it has
full access to the application servers from the DMZ
you are not really limiting it's access to the
network.  An limiting access to th Internal LAN is one
of the purposes of the DMZ.  If they hack into the
Tarantella server they can only use the ports allowed,
which allow them to access al your application
servers.

THX,
Pete Goodridge


--- Orlando Goza <[email protected]> wrote:
> 
> Hi Pete:
> 
> I think leaving the Tarantella server on the DMZ
> must
> be "less insecure" than placing it on the internal
> LAN. Supposing someone hacks into the Tarantella
> server on the DMZ, from there he will be able to use
> only the ports opened up for access to the
> application
> servers. On the other hand, if the Tarantella server
> sits on the internal LAN and someone hacks into it,
> he
> will have full access to the internal LAN, unless
> you
> add an additional layer of protection around it.
> Please, correct me if I'm wrong. 
> 
> Thank you for your reply, Pete.
> 
> Orlando Goza
> 
> 
> ---------------------------------------------------
> Hi Orlando,
> 
> I took a minute to look at the tarantella web page. 
> You are right, option 3 is the obvious best
> solution. 
> as for option 2 it looks like the tarantella server
> needs full access to your network.  If it does, what
> good does it do to leave it on the DMZ?
> 
> I've look at several different solutions for this
> kind
> of thing for a Notes implemenation we did, and none
> of
> them are as secure as using SecuRemote.  I did test
> and implement one of the solutions, and I'm really
> not
> happy with it.  The more I looked at it, the less I
> liked it.
> 
> HTH,
> Pete Goodridge
> --- Orlando Goza <[email protected]> wrote:
> > 
> > 
> > Hello dear firewallers:
> > 
> > Has anybody had any experience with Tarantella
> > http://www.tarantella.com) and FW-1?
> > 
> > We are planning on installing a Tarantella server
> > for giving remote users web-based access to
> internal
> > applications.
> > 
> > Scenario:
> > 
> > FW 4.1 SP2 on NT 4.0, SP6a
> > 3 NICs: Internal private LAN (NATTed), public DMZ,
> > public Internet segment
> > 
> > Possible options:
> > 
> > 1) Place the Tarantella server on the internal LAN
> > and
> > open up the ports required for access by remote
> > users
> > from their browsers (web server port 80 and
> > Tarantella
> > ASAD port 3144)at the firewall.
> > 
> > 2) Place the Tarantella server on the DMZ and
> allow
> > inbound access to it from Internet, allow the
> > connections between the Tarantella server and the
> > internal application servers through the ports
> > required.
> > 
> > 3) Purchase VPN module and set up access to the
> > internal Tarantella server through SecuRemote
> > clients.
> > 
> > 
> > I ruled out option 1 because of the insecurity
> > associated with allowing direct inbound
> connections
> > to
> > the internal LAN. I am in favor of option 3
> because
> > I
> > think it is the most secure one, but this solution
> > is
> > not as immediate as my manager would want,as we
> > don't
> > have a VPN module yet. Additionally, he also
> favors
> > option 2 for not requiring the installation of VPN
> > client software as option 3 does, a browser is all
> > that is required.
> > 
> > How do options 2 and 3 compare in terms of
> security?
> > what are the issues, risks involved with option 2?
> > 
> > I badly need your wise views to help me convince
> my
> > manager that option 3, although less immediate, is
> > the
> > route we should go. 
> > 
> > I'm a newbie to the VPN stuff, so please excuse my
> > inexperience.
> > 
> > I'll also very much appreciate any tips, hints,
> > recommendations or any other ideas regarding the
> use
> > of a Tarantella server with FW-1.
> > 
> > Thank you so much in advance for your valuable
> help.
> > 
> > Orlando Goza
> > 
> > 
> > __________________________________________________
> > Do You Yahoo!?
> > Yahoo! Shopping - Thousands of Stores. Millions of
> > Products.
> > http://shopping.yahoo.com/
> > 
> > 
> >
>
================================================================================
> >      To unsubscribe from this mailing list, please
> > see the instructions at
> >               
> > http://www.checkpoint.com/services/mailing.html
> >
>
================================================================================
> > 
> > 
> >
>
================================================================================
> >      To unsubscribe from this mailing list, please
> > see the instructions at
> >               
> > http://www.checkpoint.com/services/mailing.html
> >
>
================================================================================
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Shopping - Thousands of Stores. Millions of
> Products.
> http://shopping.yahoo.com/
> 
>  
> 
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Shopping - Thousands of Stores. Millions of
> Products.
> http://shopping.yahoo.com/
> 
> 
>
================================================================================
>      To unsubscribe from this mailing list, please
> see the instructions at
>               
> http://www.checkpoint.com/services/mailing.html
>
================================================================================


__________________________________________________
Do You Yahoo!?
Yahoo! Shopping - Thousands of Stores. Millions of Products.
http://shopping.yahoo.com/


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.