Firewall Wizards mailing list archives

Re: shiva lanrover

From: miko () client-server co at
Date: Mon, 18 Sep 2000 10:15:03 +0200

I suggest to place RAS-Server outside the firewall.
If you are using Shiva Lanrover the box is protected with several features as
username/password, caller id veryfication, call back a.s.o

Than you can split your network into two regions, simply safed with your firewall
between, one with access for the RAS  (simple one NIC more in your FW) where you
have your servers for this access.
You should not use RAS without a good back-end solution for security - you have to
have a authentikations-server with single PWD.
You can using Shivas AccessManager which including RADIUS/TACACS-Server and
the VASCO-Authentikationserver with support for Soft/Hardtoken based on
challenge/response authentikation.
Or you can using any other authentikation like CryptoCard or Safeword or may by
SecureID (which is the lowest secure of)


From:                   Patrick Darden <darden () armc org>
To:                     hermit1 <hermits () mac com>
Copies to:              firewall-wizards () nfr com
Subject:                Re: [fw-wiz] shiva lanrover


Outside your firewall meaning on the internet?  Accessible by anyone?
Not recommended.  Rack up a heck of a long distance bill if you get
hacked, have no secure access to it from your network (as in dial out,
management, logging and auditing, etc.).  Kind of a strange idea,
actually.  Random DOS attacks would lock it up two or three times a day.

Located inside your DMZ it gets a lot of protection, but it is still not a
trusted host so it only gets certain restricted access.  Very
controllable, very manageable, if done correctly.

Inside your network means it is fully trusted, so a kid with a wardialer
could conceivably hack into it--and from there have free access to the
soft rich underbelly of your network.  Better than hanging it
outside your firewall but, again, not recommended.


By their nature, RAS units are doubly susceptible to attack--as they are
doubly accessible.  I suggest you protect your unit as strongly as
possible without limiting its functionality.

--
--Patrick Darden                Internetworking Manager
--                              706.354.3312    darden () armc org
--                              Athens Regional Medical Center

On Thu, 14 Sep 2000, hermit1 wrote:

Why not just put it outside the firewall and treat it as any other ISP
connection?  If I put it on a DMZ, either I need to dedicate a port to it
or it gets access to other machines on that port without me knowing about it.

These boxes can be reached via their ethernet connection and reconfigured,
but if there are no restrictions (except proper user ID), what good would
it do for a cracker to reconfigure it?  I suppose it could be reset to dial
out and used to obscure the true origin of some connection elsewhere.  I
don't see any risk in putting it outside the firewall under the no
restriction rules, though.

hermit1

At 10:46 AM 9/14/00 -0400, Patrick Darden wrote:

Howdy!

We have two of the big ones (dual PRIs with digital modems), and are very
happy with them.  Granted, it took a long time to get them to the point
where they were functional and reliable, but that is more a matter of who
we purchased them from (we spent beaucoup bucks so they would install and
configure and integrate them properly.)

We especially like the dial out ISDN capability this gives everyone on our
network (anyone with the proper privs).

I recommend you put them in your DMZ, because even though there are no
security issues peculiar to them they are an ingress/egress avenue and
should be strictly controlled.


--
--
--Patrick Darden                Internetworking Manager
--                              706.354.3312    darden () armc org
--                              Athens Regional Medical Center


On Wed, 13 Sep 2000, hermit1 wrote:

Someone at my company wants to intall a Shiva LanRover box (8 ports, no
waiting) for dial-up access either behind the firewall or on a DMZ.  I
think this is a 'fine idea', but I want to put it outside the
firewall.  For some reason they don't want to go the ISP route.

I searched various places and found only one description of a security
problem - by default there is a root account on the box without a
password.  Does anyone know of any other problems with this gadget?

Thanks,
hermit1



_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards




Michael Kohl
Client-Server EDV


Client-Server EDV und Elektronik HandelsGmbH & Co KG
K.H. Waggerlgasse 27 -29            A-2603 Felixdorf
Tel:02628/61313 Fax:DW35 Mail:miko () client-server co at
           http://www.client-server.co.at
Besuchen Sie auch von uns gesponsorte Sites:
 www.biotop.at => Tier & Pflanzenserver für Exoten
 www.Interdrive.com => die besten Links der Welt
 www.fun.co.at => für vergnüglichen Zeitvertreib


_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards

Current thread:

RE: shiva lanrover Sigler, Karl (Sep 16)
- <Possible follow-ups>
- RE: shiva lanrover Ewing, Timothy K. (Sep 16)
- Re: shiva lanrover Patrick Darden (Sep 16)
  - Re: shiva lanrover hermit1 (Sep 16)
    - Re: shiva lanrover Patrick Darden (Sep 16)
    - Message not available
    - Re: shiva lanrover miko (Sep 18)