It is easy to choose the location for a firewall. It goes between the trusted and
untrusted networks. One reason our network engineers like ATM is it seamlessly
connects LAN and WAN. End-to-end ATM seems to be Nirvana; and a firewall just breaks
the dream. They are trying to convince me it is OK to connect an untrusted WAN to the
Corporate LAN ATM switch, and let the PVC wander through several Corporate LAN ATM
switches before terminating it on a firewall. I am trying to convince them the
firewall should intercept the WAN traffic before it reaches the Corporate LAN ATM
switches.
Where ATM is used in long lines transmission, no one uses firewalls, mainly since
there is usually not a security gradient. When a demonstratably insecure network
(ADSL, RAS, etc.) connects to our Corporate LAN, there is a security gradient and I
feel the untrusted traffic should go through the firewall before it wanders through
several Corporate network ATM switches.
Sure ATM PVCs are like dedicated lines, but ATM supports more than just our intended
PVC. If a trusted and an untrusted ATM switch get compromised (how?) they could be
configured to carry unintended traffic.
Is it ok to let this untrusted traffic connect to and wander through our corporate
network without a firewall? Comments are welcome.
Untrusted systems can hack their way into the management port of the switches. All
they have to do is compromise an inside host or two.
The untrusted systems are not internet hosts; they are home computers with ADSL or
Dial-Up access to the corporate network. The risk on the home systems is they may have
answering modems with inadequate dial-in security (we don't control the user's home
modem), or they may be on a home network (wireless?) that has a system we cannot see
(through NAT) that has an answering modem.
Find the best deals on the web at AltaVista Shopping!
http://www.shopping.altavista.com
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
