Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] Do these solutions post unacceptable security risk?

To: "Ivan Fox" <[email protected]>, "fw-1-mailinglist \(e-mail\)" <[email protected]>, "fw-wiz" <[email protected]>, "Fw1-Wizards \(E-mail\)" <[email protected]>
Subject: Re: [FW1] Do these solutions post unacceptable security risk?
From: Jason Witty <[email protected]>
Date: Sun, 21 Jan 2001 12:00:51 -0600
In-reply-to: <[email protected]>
Sender: [email protected]

Ivan,

IMHO, the best solutions for this are:

1) SecuRemote VPN from them to you, specifically limiting the servers and
protocols available to them
2) Drop a Citrix server in your DMZ, and use Secure-ICA for it's transport.
 Then allow the vendor access to the Citrix box, and the Citrix box
specific access tothe servers (Citrix WinFrame/MetaFrame licenses can be
expensive though)
3) Scrap the Internet idea and drop a dedicated circuit between the two
companies.

SSH is an "okay" alternative, but you would need to be VERY careful you
don't open that access to/from unneeded machines.  There are several
intrinsic issues with SSH, depending on the version you use, which can
create exposures.  It's also succeptable to man-in-the-middle attacks
(which normally are not that big of a deal, but Dug Song has made it very
easy to exploit now, with his recent release of Dsniff 2.3)

VNC is totally un-acceptable.  It's authentication method is weak, and it
is trivial to decode it's "encryption".

Just my .02.  Hope it's helpful,

Jason

At 12:17 PM 1/21/01 -0500, Ivan Fox wrote:
>
>There are a number of unix-based and NT-based application servers on the
>internal network.  They are so special that the vendor needs to access these
>servers from the Internet to trouble-shoot and support, when needed.
>
>The following are proposed "solutions", your comments/suggestions are
>appreciated.
>
>1) SSH for Unix-based servers
>
>2) VNC for NT-based servers
>
>3) VPN for both Unix and NT servers.
>
>In these cases, we need to drill a number of holes on the firewall to allow
>port 22, 5900 or/and 50 to pass through.  We want to "vendor" to be
>authenticated by Check Point Firewall-1 before allowing them to come in and
>then access ONLY those servers.
>
>The rule would be
>
>src          dst                              service  action
>vendor ip    encryption-domain-x              50      client-auth
>consists of ip of
>            unix-nt servers
>
>Would such "design" post any security risk to us?
>
>Any comments/suggestions are appreciated.
>
>Dave
>
>
>
>
>===========================================================================
=====
>     To unsubscribe from this mailing list, please see the instructions at
>               http://www.checkpoint.com/services/mailing.html
>===========================================================================
=====
>
>

================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

References:
- [FW1] Do these solutions post unacceptable security risk?
  - From: "Ivan Fox" <[email protected]>

Prev by Date: [FW1] Do these solutions post unacceptable security risk?
Next by Date: RE: [FW1] Allow nbsession via firewall
Previous by thread: [FW1] Do these solutions post unacceptable security risk?
Next by thread: RE: [FW1] Do these solutions post unacceptable security risk?
Index(es):
- Date
- Thread