RE: shiva lanrover

["Ewing, Timothy K." <Timothy.Ewing () celera com>]

> Someone at my company wants to intall a Shiva LanRover box (8 
> ports, no waiting) for dial-up access either behind the firewall or on 
> a DMZ.  I think this is a 'fine idea', but I want to put it outside the 
> firewall.  For some reason they don't want to go the ISP route.

I have worked for companies on both sides of the ISP issue.  If it were
me, I would not only find out why the resistance to the ISP route but would
push for that solution.  After all, do you really want to get into the whole
ISP/modem bank set of problems?  I prefer the solution of users dialing
into their own ISP, either on their own or company sanctioned, and then
using
tunnel software which provides strong encryption.  This avoids the whole
issue of what type of problems may or may not exist with the Shiva as well
as avoiding a whole range of support issues and having modems on your
network.

One solution that I'm familar with is having client software talk to a
tunnel
server on your network.  The client keys (tunnel keys) are created and are
unique for each user.  Since the keys are created on the server and require
the user to enter a password to unlock them upon each connection, this
follows a model of what they have and what they know.


- Timothy K. Ewing
  Celera Genomics
  Network Security Engineer


_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards