RE: [FW1] Asymmetric firewall!

Mike Glassman - Admin Mon, 03 Jul 2000 21:35:14 -0700

The answer is yes, you can be address spoofed and access can be gained.

A more secure connection can be utilized by using SecureRemote or some form
of VPN which allows access specifically.

I use this with no proxy to access the servers we allow access to directly
(NAT'd addresses etc).

Mike

> -----Original Message-----
> From: Eric Globe [SMTP:[EMAIL PROTECTED]]
> Sent: a eaie 03 2000 15:20
> To:   [EMAIL PROTECTED]
> Subject:      [FW1] Asymmetric firewall!
> 
> 
> I hope this isn't blindingly obvious but I have a squid proxy and cache 
> server in a dmz and it allows access to a few netware servers that can be 
> controlled remotely from a browser (using non-standard http and https
> ports. 
> I haven't, as yet, implemented the ip spoofing feature of fw-1 (cos it 
> hampered some ssh services we need) and I want to know how to ensure that 
> access to the squid (and hence netware servers) can be done from outside
> the 
> firewall.
> 
> The rules for squid are ftp, http (80), https allow from out to in and
> allow 
> access to squid on our non-standard http port from inside.
> 
> For control of netware we have (for example) http on port xxx4 and https
> on 
> port xxx7 so the rule is internal_net_object to squid on those ports,
> allow 
> and log. What if someone address spoofed us, could they access squid and
> the 
> netware servers or would we need to have the addresses of the netware 
> servers NAT'd to leagal internet addresses? or am I just paranoid?
> Sometimes 
> it's hard to be as inspired and resourceful as a black-hatted individual!
> 
> regards
> 
> e
> ________________________________________________________________________
> Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
> 
> 
> 
> ==========================================================================
> ======
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ==========================================================================
> ======


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================
RE: [FW1] Asymmetric firewall!

Reply via email to
