RE: hitting the "on" switch

["Safier, Adam (GEIS)" <Adam.Safier () geis ge com>]

3 is a problem.  Can you add a network access server (NAS) to be placed
on a DMZ?  Users dial in to that and authenticate at the firewall just
like any internet user.

   Inet------FW----your net
               |
            NAS

2 might be OK if you know who/where you are tunneling to and why.  You
can tunnel IPX over a IP network which might be the only use of 2 and
might be OK - if you trust the servers.

Adam

> -----Original Message-----
> From: Jim Leo [SMTP:ADMIN () everett pitt cc nc us]
> Sent: Thursday, September 18, 1997 12:50 PM
> To:   firewall-wizards () nfr net
> Subject: Re: hitting the "on" switch
>
> On Sept. 29 , our Office of Information Technology and Services will 
> be meeting with the vendor that will be installing our firewall. I am 
> already more than a little leary (not Tim) of some of what I thought 
> I heard. Our 'rule' will be inside-out=OK / outside-in=requires 
> smartkey. I am concerned about the following issuses.
>       1. That we will have to touch each device for them to get to the
>
> outside world. Sounds like an IP address change to me. 
>       2. Tunneling inside to outside.
>       3. Modems in machines  behind firewall. Yes I know. But the 
> requirement for Dial-in is there.
>       4. No IPX through the firewall. A requirement exists to access 
> Novell servers on a separate network.
>
> I am concerned about the 'Honest' risks of 2 and 3 above. I would 
> like opinions (direct to me NOT the list) about 1 and 4. 
>
> Thank you for your consideration
> Jim Leo
> admin () everett pitt cc nc us