NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Do these solutions post unacceptable security risk?



IMHO

1) - dedicated line to vendor
2) - RSA/ACE Server using SecurID over the net - works well
         but can be expensive.
3) - Setup a VPN between yourself and the vendor over the net.

Just remember, once you give the vendor access to your internal
servers they will be able to access all your servers. ;>

L8r
Cyn

"...Security is not something you can buy. No matter what
 vendors try to tell you. Security is something you live..."



> -----Original Message-----
> From: [email protected]
> [mailto:[email protected]]On Behalf Of Ivan
> Fox
> Sent: Sunday, January 21, 2001 12:18 PM
> To: fw-1-mailinglist (e-mail); fw-wiz; Fw1-Wizards (E-mail)
> Subject: [FW1] Do these solutions post unacceptable security risk?
>
>
>
> There are a number of unix-based and NT-based application servers on the
> internal network.  They are so special that the vendor needs to
> access these
> servers from the Internet to trouble-shoot and support, when needed.
>
> The following are proposed "solutions", your comments/suggestions are
> appreciated.
>
> 1) SSH for Unix-based servers
>
> 2) VNC for NT-based servers
>
> 3) VPN for both Unix and NT servers.
>
> In these cases, we need to drill a number of holes on the
> firewall to allow
> port 22, 5900 or/and 50 to pass through.  We want to "vendor" to be
> authenticated by Check Point Firewall-1 before allowing them to
> come in and
> then access ONLY those servers.
>
> The rule would be
>
> src          dst                              service  action
> vendor ip    encryption-domain-x              50      client-auth
> consists of ip of
>             unix-nt servers
>
> Would such "design" post any security risk to us?
>
> Any comments/suggestions are appreciated.
>
> Dave
>
>
>
>
> ==================================================================
> ==============
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ==================================================================
> ==============



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.