One more option is to create a segment off of the FW just for the RAS. You don't have to worry about letting traffic from your DMZ into your internal LAN, and you still have a high level of security for your RAS. Require static IP addressing in your RAS for each user ID on the RAS and create a separate but matching object for each account on your FW and you've got it tight. If someone breaks into your RAS through dialup they have to know a username, password, and IP address information just to pass through the FW. Then they have to pick an account with access to anything. One more hurdle is to add RADIUS to the RAS and all of your accounts are off of your RAS. Labor intensive though.
CH -----Original Message----- From: Robinson, Eric R. [mailto:[EMAIL PROTECTED]] Sent: Monday, March 25, 2002 2:49 PM To: '[EMAIL PROTECTED]' Subject: RAS Server Location: Inside, Outside, or DMZ? Our organization is about to deploy a dial-up RAS server. We have heard noises that the location of the RAS server can pose subtle issues with regard to security and functionality. Is there a good rule of thumb for situating the RAS server? It seems to me that the following would be true: 1. Inside: Easy to deploy but a security liability. 2. DMZ: Best position for security, but requires some one-time firewalls configuration. 3. Outside: Bad from all perspectives. However, maybe the answer is no so obvious. Hence this question. -- Eric Robinson Network Analyst State of Nevada DOT _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
