|
Firewall Wizards
mailing list archives
Re: TIS Gauntlet : WINS and Exchange
From: "James Moore" <jim () bokler com>
Date: Thu, 2 Apr 1998 15:37:59 +0000
On 2 Apr 98, you wrote:
TRUE if the site is a trusted site. The VPN allows all ports and
protocols between sites.
I assumed it was a trusted site since the original question said
there were two locations (uptown, downtown) for the same company.
Also, most VPNs have some sort of "filtering" mechanism which allows
you to control what ports and protocols are allowed thru the tunnel.
If it is just one box a VPN is great!! But What if it is a small
group of scattered IP addresses in an untrusted site. (I know, they
are already using Windows crap and possibly granting the keys to the
Kindom). But, is it sfaer to tunnel box to box or do a global fully
trusted VPN to a possibly untrusted site, and do they have a
firewall at both sites??? If not, maybe doing a VPN encrypted using
Gauntlet PC Extender on each PC that needs Windows communication to
the main firewalled site.
I'm not sure I understand your point, but if the situation is as you
describe - a few trusted hosts at an untrusted site - then
host-to-host and host-to-firewall tunneling are options. But what
about physical security?... are the hosts in the hostile environment
physically secure? If not, the tunnels may have limited value.
Before recommending a more complex solution I'd try to get a handle
on the risk levels and the value of the data being protected. The
tunnel doesn't give its user "free reign" over the host at the
other end; he must also have the required permissions to access the
desired data/services on the target host. In other words, he'd have
to hack the tunnel and then the OS to get the goods illicitly.
I guess I'm just trying to say that "simpler is better". The obvious
stuff like physical security, good password selection, etc. oughta'
be addressed before resorting to multiple tunnel arrangements. The
additional cost and complexity should be justified by the value of
the data being protected and the presence of a realisitic threat.
Best Regards,
James Moore
-----Original Message-----
From: James Moore <jim () bokler com>
To: AC <ac0 () io com>; ac0 () io com <ac0 () io com>;
firewall-wizards () nfr net <firewall-wizards () nfr net> Date: Thursday,
April 02, 1998 2:53 AM Subject: Re: TIS Gauntlet : WINS and Exchange
When faced with a similar situation last year, I used the VPN
feature to tunnel all the "network neighborhood" stuff through the
firewalls. That seemed to preserve all of the Windows networking
features, and do it more securely than the "generic" proxy service
on the firewall.
James Moore
On 31 Mar 98, you wrote:
Hey folks,
So I am currently on a project that involves
a number of m$ products; <sigh>
"Know thy enemy" is what I always say
though.
check this: the company has 2 WINS servers, the primary
one is in their uptown location. Their secondary is
at their downtown location, where I am.
So they do WINS resolution _over the INternet_.
(no inter-office connectivity
except through the net). Is WINS and port 137-139
netbios services the same thing? How the fsck does WINS
work anyway? More importantly, how will I pass
it through the Gauntlet firewall (plug-gw?) ( is there not
the fear that somebody can just use smbclient and
a cracked password to access the drives?) Not only
that, but they do the Exchange database replication
also _over the internet_. needless to say, their
setup is fubar. but I have to know how does the m$ sexchange
db replication work anyway? (which ports or anything)
more importantly, how do I pass it through gauntlet?
I believe I might have to just tcpdump
on the wire and figure out what's happening,
cause RFC1001 and RFC1002 aint fun reading.
Suggestions, flames, comments welcome.
--Anindya
...................................................
: Bokler Software Corp. :
: PO Box 261 :
: Huntsville, AL 35804 :
: tel: 205-539-9901 :
: fax: 205-882-7401 :
: www: http://www.bokler.com/ :
...................................................
 By Date 
By Thread
Current thread:
|
Intro
