Mailinglist Archive: opensuse-security (601 mails)
| < Previous | Next > |
Dialin/VPN/Firewall
- From: Erwin Zierler - Stubainet <Erwin.Zierler@xxxxxxxxxxxx>
- Date: Wed, 23 Aug 2000 10:35:01 +0200
- Message-id: <2.2.32.20000823083501.00dff188@xxxxxxxxxxxxxxxxx>
Hi,
I recently have installed a firewall machine (SuSE 6.4, kernel 2.2.14)
for a company connected to the internet via a 64K permanent leased line.
Initially I was told there were no requirements to offer any services
from inside the company to the outside (www, mail, etc.) so I went with
a fairly simple setup (no DMZ) which would also fit their budget.
Setup:
Internet - Cisco Router - Linux Firewall - LAN
While setting up the machine on site the IT department found out, that
their new provider had taken over the domain name (as requested) and
provided IP addresses for firewall.company.com, mail.company.com and also
www.company.com all routed to the same network.
Soon I was confronted with the wish to make their NT based mail server -
residing on the internal LAN and formerly sending and recieving mail via
a dialup-link (to the old provider) - talking to the outside world.
Setting up a second firewall and a DMZ (which for me would have been the
best solution security wise) was not an option.
So I went with the ipmasqadm tool and now I am portforwarding mail to and
from mail.company.com over the firewall machine. I am not very happy
with this as it just opens more potential vulnerabilities.
First question: does anyone have a better solution for this (given the
setup and restrictions I described above)?
Now, after connecting those guys to the internet they contacted me again
with the next wish: certain employees are supposed to be able to connect
from home/hotel/anyplace (of course outside the LAN) via firewall (or
what they suggested first - a dialin server INSIDE the LAN *sigh*) to
certain services inside their LAN (mainly fileservices). Doh!
Second question:
What would be a good/the best solution to give them access?
I am extremly reluctant to let netbios and similar protocols cross
the firewall, I also dont really want to provide dialup access on the
firewall box and even less on a machine inside the LAN. Anything
that will be transferred would have to be encrypted since I can't imagine
they would want to transmit confidential material without some sort of
protection.
Ok, I started reading up on VPNs and related material. To be short,
I am not familiar with this topic yet so I thought I try and get some
advice from this mailinglist first before I waste hours of investigating
useless material.
All hints and/or links to material discussing this topic are very much
appreciated.
Thanks,
Erwin
Erwin Zierler | Web-/Hostmaster - Stubainet
| Email: Erwin.Zierler@xxxxxxxxxxxx / webmaster@xxxxxxxxxxxx
| Mobil: 0664 - 130 67 91 Tel.: 05225 - 64325 Fax 99
I recently have installed a firewall machine (SuSE 6.4, kernel 2.2.14)
for a company connected to the internet via a 64K permanent leased line.
Initially I was told there were no requirements to offer any services
from inside the company to the outside (www, mail, etc.) so I went with
a fairly simple setup (no DMZ) which would also fit their budget.
Setup:
Internet - Cisco Router - Linux Firewall - LAN
While setting up the machine on site the IT department found out, that
their new provider had taken over the domain name (as requested) and
provided IP addresses for firewall.company.com, mail.company.com and also
www.company.com all routed to the same network.
Soon I was confronted with the wish to make their NT based mail server -
residing on the internal LAN and formerly sending and recieving mail via
a dialup-link (to the old provider) - talking to the outside world.
Setting up a second firewall and a DMZ (which for me would have been the
best solution security wise) was not an option.
So I went with the ipmasqadm tool and now I am portforwarding mail to and
from mail.company.com over the firewall machine. I am not very happy
with this as it just opens more potential vulnerabilities.
First question: does anyone have a better solution for this (given the
setup and restrictions I described above)?
Now, after connecting those guys to the internet they contacted me again
with the next wish: certain employees are supposed to be able to connect
from home/hotel/anyplace (of course outside the LAN) via firewall (or
what they suggested first - a dialin server INSIDE the LAN *sigh*) to
certain services inside their LAN (mainly fileservices). Doh!
Second question:
What would be a good/the best solution to give them access?
I am extremly reluctant to let netbios and similar protocols cross
the firewall, I also dont really want to provide dialup access on the
firewall box and even less on a machine inside the LAN. Anything
that will be transferred would have to be encrypted since I can't imagine
they would want to transmit confidential material without some sort of
protection.
Ok, I started reading up on VPNs and related material. To be short,
I am not familiar with this topic yet so I thought I try and get some
advice from this mailinglist first before I waste hours of investigating
useless material.
All hints and/or links to material discussing this topic are very much
appreciated.
Thanks,
Erwin
Erwin Zierler | Web-/Hostmaster - Stubainet
| Email: Erwin.Zierler@xxxxxxxxxxxx / webmaster@xxxxxxxxxxxx
| Mobil: 0664 - 130 67 91 Tel.: 05225 - 64325 Fax 99
| < Previous | Next > |