[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Do these solutions post unacceptable security risk?
IMHO 1) - dedicated line to vendor 2) - RSA/ACE Server using SecurID over the net - works well but can be expensive. 3) - Setup a VPN between yourself and the vendor over the net. Just remember, once you give the vendor access to your internal servers they will be able to access all your servers. ;> L8r Cyn "...Security is not something you can buy. No matter what vendors try to tell you. Security is something you live..." > -----Original Message----- > From: [email protected] > [mailto:[email protected]]On Behalf Of Ivan > Fox > Sent: Sunday, January 21, 2001 12:18 PM > To: fw-1-mailinglist (e-mail); fw-wiz; Fw1-Wizards (E-mail) > Subject: [FW1] Do these solutions post unacceptable security risk? > > > > There are a number of unix-based and NT-based application servers on the > internal network. They are so special that the vendor needs to > access these > servers from the Internet to trouble-shoot and support, when needed. > > The following are proposed "solutions", your comments/suggestions are > appreciated. > > 1) SSH for Unix-based servers > > 2) VNC for NT-based servers > > 3) VPN for both Unix and NT servers. > > In these cases, we need to drill a number of holes on the > firewall to allow > port 22, 5900 or/and 50 to pass through. We want to "vendor" to be > authenticated by Check Point Firewall-1 before allowing them to > come in and > then access ONLY those servers. > > The rule would be > > src dst service action > vendor ip encryption-domain-x 50 client-auth > consists of ip of > unix-nt servers > > Would such "design" post any security risk to us? > > Any comments/suggestions are appreciated. > > Dave > > > > > ================================================================== > ============== > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================================== > ============== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|