Firewall Wizards mailing list archives
Re: Security of satellite links into an organisation
From: dharris () kcp com
Date: Thu, 25 Jan 2001 12:47:27 -0600
Your description resembles a home cable network setup - my outbound connection to my ISP is through a dial-up telephone line but my inbound connection comes through my cable television connection. Low bandwidth outbound, high bandwidth inbound. Am I right? In your case there is no dial-up, just http/https traffic to your ISP's proxy, traffic which is controlled by your existing firewall. Am I still correct? If I am correct so far I would suggest placing your satellite dish on the far side of some kind of firewall from your corporate network. Set the firewall to allow only http/https traffic from your ISP's proxy. Now you can browse the Web with faster downloads of pages without completely opening your corporate network to everything which might come across the satellite link. I am not sure I completely understand why the ISP places a proxy in this plan. In the cable network setup I mentioned a proxy is not necessary, just routing by the ISP to ensure that traffic destined for my home IP address is routed through the satellite rather than the landline. If the proxy was not there then you could use your existing firewall (proxy-based, I hope) to make sure that all http/https traffic coming to your site was in response to a request for such traffic from your site. That is what a firewall does. Inserting the proxy at the ISP means that outbound requests all go to one address (the proxy) but response traffic comes from multiple addresses (the actual browsed sites.) This confuses the firewalls I know about, as they determine which return traffic is permitted based (at least partly) on the destination address of the request. I would be interested in what other responses you receive. "Wigg, Guy G" <GWigg () mail sbic co za>@nfr.com on 01/25/2001 08:42:32 AM Sent by: firewall-wizards-admin () nfr com To: undisclosed-recipients: cc: Subject: [fw-wiz] Security of satellite links into an organisation Hi all Bandwidth in South Africa is expensive and the response times are not at all that great. We have decided that a good solution for surfing the net is via satellite. One of the SA ISPs offer this service. This would be the basic set-up, they supply a proxy (MS proxy) that they propose sits on the organisation's backbone network. The http request exits the organisation via our landlines to a proxy at the respective ISP. On exiting we obviously control the connection via the firewall we have in place. The ISP then sends the return WebPages to the organisation via the satellite dish. My question is what is the security risk of this set-up? We now have an unprotected pipe coming into the network. Agreed the hacker wouldn't get any responses since the dish can only receive (the responses would blocked by the land FW infrastructure). What risk would we be putting ourselves at? Any feedback on this would be greatly appreciated. thanks Guy _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Security of satellite links into an organisation Wigg, Guy G (Jan 25)
- Re: Security of satellite links into an organisation Tom (Jan 26)
- Re: Security of satellite links into an organisation Chris Keladis (Jan 26)
- <Possible follow-ups>
- RE: Security of satellite links into an organisation Randy Garbrick (Jan 25)
- RE: Security of satellite links into an organisation LeGrow, Matt (Jan 25)
- Re: Security of satellite links into an organisation dharris (Jan 25)
- RE: Security of satellite links into an organisation Wigg, Guy G (Jan 26)
- RE: RE: Security of satellite links into an organisation Safier, Adam (GEIO) (Jan 26)
- Re: Security of satellite links into an organisation Tom (Jan 26)