OK, Thank you all for your input, I think I have the solution. While it is not the most secure, it is the most favored by the people I have to sell it to, it is the least complicated, and requires the fewest changes. People coming into the DMZ would be dialing in via a VAN, so it is already a little better than coming over the internet. I have found out that our firewalls will pass IPX (as they are ignorant to it). They can tunnel into the DMZ then un-encapsulate the IPX at the public router, and pass it through the firewall to the internal router. Proposed solutions were: BorderManager PPTP Netware 5 servers doing translation IPSEC tunneling Terminal Server Given the environment, PPTP, IPSEC and the terminal server were the only other alternatives. This client is phasing out Netware as one of it's platforms, so more Novell is unacceptable. Carric Dooley COM2:Interactive Media http://www.com2usa.com On Fri, 11 Jun 1999, Dave Hecht wrote: > As a CNE for many years, I have grown to hate IPX, and yes Carric, it is often a >neccessary evil. One solution might be use novell's Border Manager and VPN it in >using their client/host method. It works rather well although it hammers the hell >out of your BM box. We have alot of IPX floating around here as well and the problem >you will encounter if you try to write filters yourself is that there appears to be >no limit to the number of SAP types you have to contend with and just when you think >you have them all filtered.... > The VPN uses 128 bit encryption and is fairly easy to setup at both the server and >client side, you can also do site to site VPN's with it if that fits your plan. > > > > Dave Hecht > Sr. Systems Analyst > City of Bakersfield > (661)326-3726 voice > www.bakersfield.ca.us > > (805)852-2063 fax > > > >>> Carric Dooley <[EMAIL PROTECTED]> 6/9/99 12:52:33 PM >>> > I have a quick question that I was hoping to find some input on. > > I have a requirement for getting IPX into my network over and IP VAN. > There is a proposed solution currently that I DON'T like, but I want to > see how many viable alternatives there are. > > The current proposal is to creat a PPTP tunnel right into our network, and > just tunnel IPX through it. All other IP traffic is pumped into our > Private DMZ. > > I have proposed SecuRemote (as FW-1 firewalls are involved) but that was > immediately poo-poo'd. Given PPTP's track record, I don't really trust > it. > > I want to know what alternatives there might be for safely encapsulating > IPX and getting it inside the network without introducing too much danger. > Please let me know what you think. > > Thank you > > > > Carric Dooley > COM2:Interactive Media > http://www.com2usa.com > > - > [To unsubscribe, send mail to [EMAIL PROTECTED] with > "unsubscribe firewalls" in the body of the message.] > > - > [To unsubscribe, send mail to [EMAIL PROTECTED] with > "unsubscribe firewalls" in the body of the message.] > - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
