RE: RE: Security of satellite links into an organisation

["Safier, Adam (GEIO)" <Adam.Safier () geio ge com>]

I'm not sure what the MS proxy function is, or do you mean the MS Proxy goes
in the ISP?

As I understand it the requests go out through the ISP proxy and all replies
go back to it.  The Proxy routes the traffic to the Satellite network which
sends it directly to each of your remote locations.  The Proxy is hiding
your network from the world. 

I would make sure the Proxy will only do the following:
- the proxy only accepts "established" connections (i.e. replies to web
queries and no connections initiated from the internet to the Proxy itself).
- that it is actually doing NAT on your behalf so your internal IP addresses
are not directly accessible from the internet
- that it has IP forwarding turned off.

You still have all the usual risks of surfing like malicious code hidden in
web pages and users downloading viruses.  If you want to try centralized
virus filtering and code checking you would need to get the ISP to provide
it as a service at or in front of the Proxy.  You are effectively
outsourcing part of your security and should have appropriate security
outsourcing agreements in place.

Adam

-----Original Message-----
From: Wigg, Guy G [mailto:GWigg () mail sbic co za]
Sent: Friday, January 26, 2001 2:11 AM
Subject: [fw-wiz] RE: Security of satellite links into an organisation


We have branches that are geographically wide spread. Since bandwidth is so
expensive here we only have ISP links in one location. We don't want surfing
stuff coming across our WAN links because of the expense and hence the
satellite idea, the requests going across the WAN will be minimal.

Guy

-----Original Message-----
From: Calabrese, Christopher [mailto:christopher_calabrese () merck com]
Sent: Thursday, January 25, 2001 7:45 PM
To: 'Wigg, Guy G'
Subject: RE: [fw-wiz] Security of satellite links into an organisation


Umm, why not just put this box outside your firewall?

-----Original Message-----
From: Wigg, Guy G [mailto:GWigg () mail sbic co za]
Sent: Thursday, January 25, 2001 9:43 AM
Subject: [fw-wiz] Security of satellite links into an organisation


Hi all

Bandwidth in South Africa is expensive and the response times are not at all
that great. We have decided that a good solution for surfing the net is via
satellite. One of the SA ISPs offer this service. This would be the basic
set-up, they supply a proxy (MS proxy) that they propose sits on the
organisation's backbone network. 

The http request exits the organisation via our landlines to a proxy at the
respective ISP. On exiting we obviously control the connection via the
firewall we have in place. The ISP then sends the return WebPages to the
organisation via the satellite dish. My question is what is the security
risk of this set-up? We now have an unprotected pipe coming into the
network. Agreed the hacker wouldn't get any responses since the dish can
only receive (the responses would blocked by the land FW infrastructure).
What risk would we be putting ourselves at?

Any feedback on this would be greatly appreciated.

thanks
Guy


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards