Firewall Wizards mailing list archives
Re: shiva lanrover
From: miko () client-server co at
Date: Mon, 18 Sep 2000 10:15:03 +0200
I suggest to place RAS-Server outside the firewall. If you are using Shiva Lanrover the box is protected with several features as username/password, caller id veryfication, call back a.s.o Than you can split your network into two regions, simply safed with your firewall between, one with access for the RAS (simple one NIC more in your FW) where you have your servers for this access. You should not use RAS without a good back-end solution for security - you have to have a authentikations-server with single PWD. You can using Shivas AccessManager which including RADIUS/TACACS-Server and the VASCO-Authentikationserver with support for Soft/Hardtoken based on challenge/response authentikation. Or you can using any other authentikation like CryptoCard or Safeword or may by SecureID (which is the lowest secure of) From: Patrick Darden <darden () armc org> To: hermit1 <hermits () mac com> Copies to: firewall-wizards () nfr com Subject: Re: [fw-wiz] shiva lanrover
Outside your firewall meaning on the internet? Accessible by anyone? Not recommended. Rack up a heck of a long distance bill if you get hacked, have no secure access to it from your network (as in dial out, management, logging and auditing, etc.). Kind of a strange idea, actually. Random DOS attacks would lock it up two or three times a day. Located inside your DMZ it gets a lot of protection, but it is still not a trusted host so it only gets certain restricted access. Very controllable, very manageable, if done correctly. Inside your network means it is fully trusted, so a kid with a wardialer could conceivably hack into it--and from there have free access to the soft rich underbelly of your network. Better than hanging it outside your firewall but, again, not recommended. By their nature, RAS units are doubly susceptible to attack--as they are doubly accessible. I suggest you protect your unit as strongly as possible without limiting its functionality. -- --Patrick Darden Internetworking Manager -- 706.354.3312 darden () armc org -- Athens Regional Medical Center On Thu, 14 Sep 2000, hermit1 wrote:Why not just put it outside the firewall and treat it as any other ISP connection? If I put it on a DMZ, either I need to dedicate a port to it or it gets access to other machines on that port without me knowing about it. These boxes can be reached via their ethernet connection and reconfigured, but if there are no restrictions (except proper user ID), what good would it do for a cracker to reconfigure it? I suppose it could be reset to dial out and used to obscure the true origin of some connection elsewhere. I don't see any risk in putting it outside the firewall under the no restriction rules, though. hermit1 At 10:46 AM 9/14/00 -0400, Patrick Darden wrote:Howdy! We have two of the big ones (dual PRIs with digital modems), and are very happy with them. Granted, it took a long time to get them to the point where they were functional and reliable, but that is more a matter of who we purchased them from (we spent beaucoup bucks so they would install and configure and integrate them properly.) We especially like the dial out ISDN capability this gives everyone on our network (anyone with the proper privs). I recommend you put them in your DMZ, because even though there are no security issues peculiar to them they are an ingress/egress avenue and should be strictly controlled. -- -- --Patrick Darden Internetworking Manager -- 706.354.3312 darden () armc org -- Athens Regional Medical Center On Wed, 13 Sep 2000, hermit1 wrote:Someone at my company wants to intall a Shiva LanRover box (8 ports, no waiting) for dial-up access either behind the firewall or on a DMZ. I think this is a 'fine idea', but I want to put it outside the firewall. For some reason they don't want to go the ISP route. I searched various places and found only one description of a security problem - by default there is a root account on the box without a password. Does anyone know of any other problems with this gadget? Thanks, hermit1_______________________________________________ Firewall-wizards mailing list Firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards
Michael Kohl Client-Server EDV Client-Server EDV und Elektronik HandelsGmbH & Co KG K.H. Waggerlgasse 27 -29 A-2603 Felixdorf Tel:02628/61313 Fax:DW35 Mail:miko () client-server co at http://www.client-server.co.at Besuchen Sie auch von uns gesponsorte Sites: www.biotop.at => Tier & Pflanzenserver für Exoten www.Interdrive.com => die besten Links der Welt www.fun.co.at => für vergnüglichen Zeitvertreib _______________________________________________ Firewall-wizards mailing list Firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards
Current thread:
- RE: shiva lanrover Sigler, Karl (Sep 16)
- <Possible follow-ups>
- RE: shiva lanrover Ewing, Timothy K. (Sep 16)
- Re: shiva lanrover Patrick Darden (Sep 16)
- Re: shiva lanrover hermit1 (Sep 16)
- Re: shiva lanrover Patrick Darden (Sep 16)
- Message not available
- Re: shiva lanrover miko (Sep 18)
- Re: shiva lanrover hermit1 (Sep 16)