[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] Do these solutions post unacceptable security risk?
Ivan, IMHO, the best solutions for this are: 1) SecuRemote VPN from them to you, specifically limiting the servers and protocols available to them 2) Drop a Citrix server in your DMZ, and use Secure-ICA for it's transport. Then allow the vendor access to the Citrix box, and the Citrix box specific access tothe servers (Citrix WinFrame/MetaFrame licenses can be expensive though) 3) Scrap the Internet idea and drop a dedicated circuit between the two companies. SSH is an "okay" alternative, but you would need to be VERY careful you don't open that access to/from unneeded machines. There are several intrinsic issues with SSH, depending on the version you use, which can create exposures. It's also succeptable to man-in-the-middle attacks (which normally are not that big of a deal, but Dug Song has made it very easy to exploit now, with his recent release of Dsniff 2.3) VNC is totally un-acceptable. It's authentication method is weak, and it is trivial to decode it's "encryption". Just my .02. Hope it's helpful, Jason At 12:17 PM 1/21/01 -0500, Ivan Fox wrote: > >There are a number of unix-based and NT-based application servers on the >internal network. They are so special that the vendor needs to access these >servers from the Internet to trouble-shoot and support, when needed. > >The following are proposed "solutions", your comments/suggestions are >appreciated. > >1) SSH for Unix-based servers > >2) VNC for NT-based servers > >3) VPN for both Unix and NT servers. > >In these cases, we need to drill a number of holes on the firewall to allow >port 22, 5900 or/and 50 to pass through. We want to "vendor" to be >authenticated by Check Point Firewall-1 before allowing them to come in and >then access ONLY those servers. > >The rule would be > >src dst service action >vendor ip encryption-domain-x 50 client-auth >consists of ip of > unix-nt servers > >Would such "design" post any security risk to us? > >Any comments/suggestions are appreciated. > >Dave > > > > >=========================================================================== ===== > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html >=========================================================================== ===== > > ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|