On Wed, 26 Jul 2000, Chris Mason wrote:
> Everyone has jumped on me for putting data on the firewall, but no-one
> has really given me a concrete example of a better way to go. I need
> to stay with Linux open source solutions. My optimal solution might be
> to use a SSH tunnel to the data, wherever on the LAN it is. However, I
> don't actually know how to do that with a Windows client and a Linux
> firewall.
There are a number of things you could do. One of them would be to set up
a separate network behind the firewall (let's call it the semi-trusted
network) and put the FTP server on that. I've done setups like this
before where the Internet could reach the semi-trusted net and the
semi-trusted net could reach the internal net but no packets from the
Internet could get directly into the trusted net. Another way to do this
would be with a pair of firewalls:
Internet -> FW -> DMZ/Semi-trusted -> FW -> LAN
The two FW's there could be the same box if it's setup properly.
Another option, or something you could do in conjunction with the setup I
just described is give anyone who needs "FTP" access to that data an SCP
client. F-secure's implementation of SSH has an SCP client, and I've seen
SSH1 clients compiled for Windows freely available on the 'net. Wrap a
batch file around it and your clients should be happy while keeping your
accounting data as safe as reasonably possible. Remember that FTP is
clear-text and if your clients are FTPing it over the net it's pretty
simple to sniff.
-Jason
-----
Jason K. Schechner - check out www.cauce.org and help ban spam-mail.
=The difference between genius and stupidity is that genius has bounds.=
---There is no TRUTH. There is no REALITY. There is no CONSISTENCY.---
---There are no ABSOLUTE STATEMENTS I'm very probably wrong.---
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
