I can think of a couple of implications. If anyone should manage to compromise the internal UNIX host, you entire internal network is up for grabs. A second issue is that an FTP control connection can be used to map internal network devices.
The security configurations for these machine will need to be VERY tight and constantly maintained even if you restrict access to just FTP and Telnet. I'd suggest SSH for the Telnet connections and an SSH enable FTP for the FTP connections.
-- Bill Stackpole, CISSP
"Simplify, there is no value in complexity, it's too difficult to manage."
| "Laura Usakowski" <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED] 04/04/00 09:22 AM
|
To: [EMAIL PROTECTED] cc: Subject: Access to internal campus server via Internet firewall |
Attention Firewalls Group.
As one part of our security plan, we have implemented a Raptor
firewall between the Internet (External network) and the campus
networks. The campus networks include a DMZ zone (mail
servers, web servers, etc.) and an Internal network (campus-only
servers (Linux) and file servers (NetWare 5), Intranet web servers,
etc.).
We have a proposal up for discussion. I would like opinions on the
security implications.
Proposal:
The need is to provide access to an internal campus Unix server
from the Internet. The required access would be telnet and ftp.
This access would be provided through the firewall. We would
assign an IP address on the external network. Our firewall would
provide a virtual connection to the internal Unix server (private class
A) address. The Unix server has a dial-out only modem/phone line
installed.
What are the _specific_ security concerns with this proposal? Are
there any risks to other servers on the internal network? Are there
any recommendations or alternatives on how to implement this
type of access while minimizing the security risks. Does it matter
on the firewall vendor we have? Does it matter that we have a
modem installed in the server?
------------------------------
Laura Usakowski, Network Administrator
Aquinas College, Information Technology & Services
1607 Robinson RD SE, Grand Rapids MI 49506 USA
http://www.aquinas.edu, 616-459-8281 x3729
[EMAIL PROTECTED]
Personal e-mail: [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
