Security Basics mailing list archives
Re: One computer two different networks
From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Tue, 10 Oct 2006 20:17:33 +0200
On 2006-10-10 Santiago Barahona wrote:
We have about 250 computers that are isolated in a high-security network, we want to give internet access to those computer users without compromising the secured network...of course our first thought is to buy 250 computers so the users can switch between computers (one for the secure network, one for internet)... but that might not be most practical solution... So, I've been looking around and I've found a product called DATAGATE, from Tenix which works as a "Data Diode"... looks interesting... but I'd like to have a second opinion... Does anyone know about other products or techniques on how to accomplish this??
One way to accomplish this is to implement a so-called graphical firewall. Have a network setup like this: Internet --- FW1 --- DMZ --- FW2 --- LAN LAN is where your 250 computers reside. Into the DMZ you put a terminal server with web browser, mail client and whatever other program you want your users to access the Internet with. Make sure the terminal server is hardened. Configure FW1 to: - ALLOW access FROM the terminal server in the DMZ TO the Internet - DENY access FROM the Internet TO the DMZ (except for related traffic) Configure FW2 to: - ALLOW remote-desktop access FROM the LAN TO the terminal server only - DENY access FROM the DMZ TO the LAN (except for related traffic) For Windows Terminal Services remote-desktop access would be through port 3389. Make sure you have only the remote desktop and maybe the clipboard, but no mapping of printers, shares, or other resources. Keep the remote-desktop client on your LAN computers up-to-date. Regards Ansgar Wiechers -- "Another option [for defragmentation] is to back up your important files, erase the hard disk, then reinstall Mac OS X and your backed up files." --http://docs.info.apple.com/article.html?artnum=25668 --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- One computer two different networks Santiago Barahona (Oct 10)
- Re: One computer two different networks Ansgar -59cobalt- Wiechers (Oct 10)
- RE: One computer two different networks Jamie Wareham (Oct 10)
- RE: One computer two different networks Andrew Aris (Oct 11)
- RE: One computer two different networks Marc (Oct 10)
- RE: One computer two different networks Dan Tesch (Oct 10)
- Re: One computer two different networks sami seclist (Oct 10)
- RE: One computer two different networks David Gillett (Oct 10)
- Re: One computer two different networks Raoul Armfield (Oct 10)
- Re: One computer two different networks Santiago Barahona (Oct 11)
- Re: One computer two different networks Andrew Hay (Oct 11)
- RE: One computer two different networks Ray Sawyer (Oct 11)
(Thread continues...)