Hi, I recently have installed a firewall machine (SuSE 6.4, kernel 2.2.14) for a company connected to the internet via a 64K permanent leased line. Initially I was told there were no requirements to offer any services from inside the company to the outside (www, mail, etc.) so I went with a fairly simple setup (no DMZ) which would also fit their budget. Setup: Internet - Cisco Router - Linux Firewall - LAN While setting up the machine on site the IT department found out, that their new provider had taken over the domain name (as requested) and provided IP addresses for firewall.company.com, mail.company.com and also www.company.com all routed to the same network. Soon I was confronted with the wish to make their NT based mail server - residing on the internal LAN and formerly sending and recieving mail via a dialup-link (to the old provider) - talking to the outside world. Setting up a second firewall and a DMZ (which for me would have been the best solution security wise) was not an option. So I went with the ipmasqadm tool and now I am portforwarding mail to and from mail.company.com over the firewall machine. I am not very happy with this as it just opens more potential vulnerabilities. First question: does anyone have a better solution for this (given the setup and restrictions I described above)? Now, after connecting those guys to the internet they contacted me again with the next wish: certain employees are supposed to be able to connect from home/hotel/anyplace (of course outside the LAN) via firewall (or what they suggested first - a dialin server INSIDE the LAN *sigh*) to certain services inside their LAN (mainly fileservices). Doh! Second question: What would be a good/the best solution to give them access? I am extremly reluctant to let netbios and similar protocols cross the firewall, I also dont really want to provide dialup access on the firewall box and even less on a machine inside the LAN. Anything that will be transferred would have to be encrypted since I can't imagine they would want to transmit confidential material without some sort of protection. Ok, I started reading up on VPNs and related material. To be short, I am not familiar with this topic yet so I thought I try and get some advice from this mailinglist first before I waste hours of investigating useless material. All hints and/or links to material discussing this topic are very much appreciated. Thanks, Erwin Erwin Zierler | Web-/Hostmaster - Stubainet | Email: Erwin.Zierler@stubainet.at / webmaster@stubainet.at | Mobil: 0664 - 130 67 91 Tel.: 05225 - 64325 Fax 99
Ok, I started reading up on VPNs and related material. To be short, I am not familiar with this topic yet so I thought I try and get some advice from this mailinglist first before I waste hours of investigating useless material. I think VPNs are the best solution. I have seen something about tunneling and a very good discussion of these things in the book "Virtual Private Networks" by Charlie Scott, Paul Wolfe and Mike Erwin published by O'Reilly and Associates. I am definitely not an expert on this but that book may help.
Ok, I started reading up on VPNs and related material. To be short, I am not familiar with this topic yet so I thought I try and get some advice from this mailinglist first before I waste hours of investigating useless material. I think VPNs are the best solution. I have seen something about tunneling and a very good discussion of these things in the book "Virtual Private Networks" by Charlie Scott, Paul Wolfe and Mike Erwin published by O'Reilly and Associates. I am definitely not an expert on this but that book may help.
Ugh no. That book isn't to useful, it's very dated (I own a copy). IPSec is _the_ VPN standard for the future, the Linux implementation kind of sucks (www.freeswan.org), but is getting better. It works with openBSD, PGP Windows client, etc. A great book on IPSec is: IPSec, ISBN: 0-13-011898-2 Kurt Seifried SecurityPortal, your focal point for security on the net http://www.securityportal.com/
[...]
Ugh no. That book isn't to useful, it's very dated (I own a copy). IPSec is _the_ VPN standard for the future, the Linux implementation kind of sucks (www.freeswan.org), but is getting better.
Uhmm, could you explain that? What's wrong with FreeS/Wan? I hope FreeS/Wan is part of the SuSE distribution so this mail isn't too far off-topic... ;-) Regards, Jan Hildebrandt -- jan.hildebrandt@mathema.de MATHEMA Software GmbH Nägelsbachstraße 25 b 91052 E r l a n g e n Telefon 09131/8903-0 Telefax 09131/8903-55 http://www.mathema.de
Uhmm, could you explain that? What's wrong with FreeS/Wan?
It's not integrated with the kernel, it's a set of patches/etc. With OpenBSD/Solaris/Windows2000/other modern OS's it's integrated by default. The basic design is kind of messy. Try setting it up from scratch and you'll see what I mean. All I gotta do in OpenBSD/etc is enable the IPSec related key daemons and config connections, nothing messy. FreeSWAN is making leaps and bounds though, but another issue is the lack of support for network cards with built in crypto accelerators (like intel's server nic's), OpenBSD/Windows support these.
I hope FreeS/Wan is part of the SuSE distribution so this mail isn't too far off-topic... ;-)
Yeah they ship freeswan.
Regards,
Jan Hildebrandt
Hmm, maybe SuSE should pay me to answer these =) Kurt Seifried SecurityPortal, your focal point for security on the net http://www.securityportal.com/
On Wed, 23 Aug 2000, Erwin Zierler - Stubainet wrote:
Now, after connecting those guys to the internet they contacted me again with the next wish: certain employees are supposed to be able to connect from home/hotel/anyplace (of course outside the LAN) via firewall (or what they suggested first - a dialin server INSIDE the LAN *sigh*) to certain services inside their LAN (mainly fileservices). Doh!
Second question: What would be a good/the best solution to give them access?
I am extremly reluctant to let netbios and similar protocols cross the firewall, I also dont really want to provide dialup access on the firewall box and even less on a machine inside the LAN. Anything that will be transferred would have to be encrypted since I can't imagine they would want to transmit confidential material without some sort of protection.
Another late entry to a thread - I will trash my reputation. In real life dial-in access inside firewall is quite a common way of allowing insecure services to trusted employees such as telnet, intranet and NetBIOS. But it is expensive and probably only good for nets that made the investment in modems *before* VPNs became viable. Either with VPNs or modems you probably want very good user authentication - one-time passwords or smart cards for example. Both are trusted channels into the LAN and therefore vulnerable. I cannot see how one is any worse than the other. dproc
participants (5)
-
dproc@dol.net -
Erwin Zierler - Stubainet -
Jan Hildebrandt -
Kurt Seifried -
semat@wawa.eahd.or.ug