Re: Security of satellite links into an organisation

[dharris () kcp com]

Your description resembles a home cable network setup - my outbound
connection to my ISP is through a dial-up telephone line but my inbound
connection comes through my cable television connection.  Low bandwidth
outbound, high bandwidth inbound.  Am I right?

In your case there is no dial-up, just http/https traffic to your ISP's
proxy, traffic which is controlled by your existing firewall.  Am I still
correct?

If I am correct so far I would suggest placing your satellite dish on the
far side of some kind of firewall from your corporate network.  Set the
firewall to allow only http/https traffic from your ISP's proxy.  Now you
can browse the Web with faster downloads of pages without completely
opening your corporate network to everything which might come across the
satellite link.

I am not sure I completely understand why the ISP places a proxy in this
plan.  In the cable network setup I mentioned a proxy is not necessary,
just routing by the ISP to ensure that traffic destined for my home IP
address is routed through the satellite rather than the landline.

If the proxy was not there then you could use your existing firewall
(proxy-based, I hope) to make sure that all http/https traffic coming to
your site was in response to a request for such traffic from your site.
That is what a firewall does.  Inserting the proxy at the ISP means that
outbound requests all go to one address (the proxy) but response traffic
comes from multiple addresses (the actual browsed sites.)  This confuses
the firewalls I know about, as they determine which return traffic is
permitted based (at least partly) on the destination address of the
request.

I would be interested in what other responses you receive.






"Wigg, Guy G" <GWigg () mail sbic co za>@nfr.com on 01/25/2001 08:42:32 AM

Sent by:  firewall-wizards-admin () nfr com


To:   undisclosed-recipients:
cc:

Subject:  [fw-wiz] Security of satellite links into an organisation


Hi all

Bandwidth in South Africa is expensive and the response times are not at
all
that great. We have decided that a good solution for surfing the net is via
satellite. One of the SA ISPs offer this service. This would be the basic
set-up, they supply a proxy (MS proxy) that they propose sits on the
organisation's backbone network.

The http request exits the organisation via our landlines to a proxy at the
respective ISP. On exiting we obviously control the connection via the
firewall we have in place. The ISP then sends the return WebPages to the
organisation via the satellite dish. My question is what is the security
risk of this set-up? We now have an unprotected pipe coming into the
network. Agreed the hacker wouldn't get any responses since the dish can
only receive (the responses would blocked by the land FW infrastructure).
What risk would we be putting ourselves at?

Any feedback on this would be greatly appreciated.

thanks
Guy


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards



_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards