On Wed, 23 Aug 2000, Erwin Zierler - Stubainet wrote:
Now, after connecting those guys to the internet they contacted me again with the next wish: certain employees are supposed to be able to connect from home/hotel/anyplace (of course outside the LAN) via firewall (or what they suggested first - a dialin server INSIDE the LAN *sigh*) to certain services inside their LAN (mainly fileservices). Doh!
Second question: What would be a good/the best solution to give them access?
I am extremly reluctant to let netbios and similar protocols cross the firewall, I also dont really want to provide dialup access on the firewall box and even less on a machine inside the LAN. Anything that will be transferred would have to be encrypted since I can't imagine they would want to transmit confidential material without some sort of protection.
Another late entry to a thread - I will trash my reputation. In real life dial-in access inside firewall is quite a common way of allowing insecure services to trusted employees such as telnet, intranet and NetBIOS. But it is expensive and probably only good for nets that made the investment in modems *before* VPNs became viable. Either with VPNs or modems you probably want very good user authentication - one-time passwords or smart cards for example. Both are trusted channels into the LAN and therefore vulnerable. I cannot see how one is any worse than the other. dproc