[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] Tarantella and FW-1
All, Option 2 would probable be best if you used token based security (security id and the like) on the firewall. Use the firewall as a gatekeeper to the tarantella servers. tarantell_users@any to tarantella_web, ports: 80,3144, 443 , 3??? (secure tarantella port) etc. Having worked with the Tarantella product I was not very excited about the way it is set up from a security perspective. Be default everything on the web server is turned on. In the ideal environment you would have the web server on it's own dmz segment and the windows Terminal server on a other, with the fw control at the port level what is a allowed. The other consideration is that in the configuration that you are using the connection is not encrypted. Depending on the application this might not be a good idea. Options 3 is probable the best but this there is a several other issues with SR. Depending on the user population you might have limitations in on the supported platforms, No unixs, mac platforms. One of the benefits of the Tarantella product is that the user simply needs a browsers. Deployment of the sr client. Setup and maintenance. Admittedly in my installation we customers and vendors using tarantella so the ability to control the end user environment was very limited. mjs > > > > > > > Hello dear firewallers: > > > > Has anybody had any experience with Tarantella > > http://www.tarantella.com) and FW-1? > > > > We are planning on installing a Tarantella server > > for giving remote users web-based access to internal > > applications. > > > > Scenario: > > > > FW 4.1 SP2 on NT 4.0, SP6a > > 3 NICs: Internal private LAN (NATTed), public DMZ, > > public Internet segment > > > > Possible options: > > > > 1) Place the Tarantella server on the internal LAN > > and > > open up the ports required for access by remote > > users > > from their browsers (web server port 80 and > > Tarantella > > ASAD port 3144)at the firewall. > > > > 2) Place the Tarantella server on the DMZ and allow > > inbound access to it from Internet, allow the > > connections between the Tarantella server and the > > internal application servers through the ports > > required. > > > > 3) Purchase VPN module and set up access to the > > internal Tarantella server through SecuRemote > > clients. > > > > > > I ruled out option 1 because of the insecurity > > associated with allowing direct inbound connections > > to > > the internal LAN. I am in favor of option 3 because > > I > > think it is the most secure one, but this solution > > is > > not as immediate as my manager would want,as we > > don't > > have a VPN module yet. Additionally, he also favors > > option 2 for not requiring the installation of VPN > > client software as option 3 does, a browser is all > > that is required. > > > > How do options 2 and 3 compare in terms of security? > > what are the issues, risks involved with option 2? > > > > I badly need your wise views to help me convince my > > manager that option 3, although less immediate, is > > the > > route we should go. > > > > I'm a newbie to the VPN stuff, so please excuse my > > inexperience. > > > > I'll also very much appreciate any tips, hints, > > recommendations or any other ideas regarding the use > > of a Tarantella server with FW-1. > > > > Thank you so much in advance for your valuable help. > > > > Orlando Goza > > > > > > __________________________________________________ > > ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|