At 10:26 PM 8/23/00, Chuck Larrieu wrote:
><I snipped some excellent points for brevity's sake>
>Some folks attempt to secure their inside environments further by creating
>multiple security domains, protected by multiple firewalls. Sure, why not?
>Some folks further refine the concept by using different firewall vendors at
>different points, thus offering further stumbling blocks to intruders.
>Again, why not? It depends upon how much you value your resources versus how
>much time you want to spend managing the confusion.
There are many advantages to keeping security simple. If the stumbling
blocks are too cumbersome, they will cause problems for legitimate end
users, not just intruders.
I just ran into an annoying problem, helping a customer. She is behind a
firewall and must use FTP passive mode. She's trying to reach an FTP/WEB
server (to upload her Web pages) that has a non-stateful firewall running
directly on the server.
What this means is that this server will not let the client come back in
and open a TCP connection to send the data. Being non-stateful, the
firewall is too stupid to know that its host (the server) just gave out the
port number to be used for the connection, (in response to the PASV
command). Instead, the firewall simply sees a client trying to open a TCP
connection to a high port number, and says "no way, get outta here."
But the customer can't use ACTV mode because of the firewall on her end.
This situation appears to be a catch-22.
Is this silly, or what??? &;-)
Priscilla
>One begins to see the advantage of a clear, well thought out written
>security policy, built around the identification of resources of value, the
>quantification of risk associated with the compromise of those resources,
>and the determination of who should have access to which resources under
>what circumstances. From there, the specifics of design become a bit easier
>to deal with, and questions such as those of your security manager become
>easier to answer.
>
>HTH / FWIW
>
>Chuck
>
>-----Original Message-----
>From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
>Steve Smith
>Sent: Tuesday, August 22, 2000 1:17 PM
>To: '[EMAIL PROTECTED]'
>Subject: security
>
> << File: Steve Smith.vcf >> Hey gang, a little OT but here is goes. I need
>a few "expert" opinions on a
>sore subject.
>
>If you have a big WAN, ATM DS3 connecting 6 cities, with a single internet
>access point. Our "security" manger feels that we should have public IPs
>running in our DMZ and our WAN from city to city. Then NAT/PAT into each
>loction. The other way would be to have a DMZ at the internet access point,
>leave them public for web servers and such, then NAT/PAT through the
>firewall for the rest of the WAN.
>
>Any feelings?
>
>Thanks in advance.
>Steve
>
>
>
>
>___________________________________
>UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
>FAQ, list archives, and subscription info: http://www.groupstudy.com
>Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
________________________
Priscilla Oppenheimer
http://www.priscilla.com
___________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
