On Mon, 25 Mar 2002, Robinson, Eric R. wrote: > Is there a good rule of thumb for situating the RAS server? It seems to me > that the following would be true: > > 3. Outside: Bad from all perspectives.
I don't think this is bad at all. I look at RAS boxes as providing access to the Internet, just like any other modem dial-in/ISDN/DSL/whatever at large and don't accord those dial-up ports any special priviledges. That way, if someone does manage to score a login on the RAS box (which I think is quite likely, given the security profile of staff generally and where they write their passwords down), all they have is Internet access. This might cost you a little money in traffic, but has no real bad security juju. And besides, you keep an eye on your RAS and audit those logs, right? If you need to provide extra services via dial-up, do the VPN thing. This has the bonus of being potentially usable from anywhere with no special config, because the special access VPN function is divorced from the connectivity thing. Separation of layers is a powerful tool. Adrian Close email: [EMAIL PROTECTED] 1 Old Gippsland Rd. web: http://www.close.wattle.id.au/~adrian Lilydale, VIC, 3140, Australia mobile: +61 412 385 201 P.S. Of course, it's worth taking care with the security of your RAS as well (e.g. if you need SNMP or whatever, configure carefully and patch often, which you should be doing anyway, so there's no difference, right?) _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
