Luc,
That's one option.
What makes it harder is that on one side, I have close to 1000 internall
users who will be using one aspect, and at least 17 external companies using
another. I simply can't give each person a card.
As well, this is good for authentication, but what I need is a more secure
access to the data, not just the authentication.
Thanks tho.
Mike
> -----Original Message-----
> From: Luc Terryn [SMTP:[EMAIL PROTECTED]]
> Sent: � ������ 23 2000 15:37
> To: [EMAIL PROTECTED]
> Subject: [FW1] Thoughts on external access to Intranet server -Reply
>
> Hi Mike,
>
> My suggestion would be to at least use as strong authentication like
> Secure ID, Vasco, Activecard.
> I am used to Vasco which can implement tripleDES and also has some way to
> use an optical challenge to ease the authentication process.
> I would not use secureID because it is a one time password less secure
> than time based challenge-response.
>
> If the data itself is sensitive encryption could be added with the same
> kind of authentication.
>
> If you like directories Activecard has an integration within Novell NDS
> and there is a possible LDAP/Radius dialog possible.
> I know some such implementation also.
>
> If the data itself is really sensitive then you may combine this with
> Securemote.
> This is working fine but I suppose you will quickly be securemote
> specialist because it drives a lot of support calls.
> Pay also attention that Securemote works not well or not at all if the
> client has hide translation.
>
> I hope this helps.
>
> Regards
>
> Luc Terryn
>
> Belgocontrol
> Belgian Air Traffic Control
>
>
>
> >>> Mike Glassman - Admin <[EMAIL PROTECTED]> 11/23/00 11:41am >>>
>
> All,
>
> The folks here have decided that an Intranet server will be a good thing
> (finally).
>
> The issue is, that they also want access to this server from outside,
> which
> in itself is not an issue too much. Where it becomes a bit more sticky, is
> that they wish to allow externall companies access to specific issues on
> this server, and via them, to other servers in our network (NT, Netware,
> Unix, AS400 and so on). As well, they want access for users of ours from
> outside inside with once again, the ability to access and change data on
> internall servers.
>
> Now I could simply allow http access via the firewall with authentication
> on
> both the FW and the Intranet server, but that's about as secure as leaving
> 100$'s laying around on the floor for all to see and go for.
>
> My current setup is as follows :
>
> Internet
> |
> Router (double with BGP4 to two ISP's)
> |
> FireWall----DMZ (there's more, but this is all that matters right now)
> |
> Local Network (servers and users)
>
> I was thinking that perhaps an additional machine or machines on the DMZ,
> setup as reverse proxies, or perhaps HTTP routering servers, which would
> get
> the externall requests and only this server (or servers) would then be
> allowed to forward and receive data to and from the internall Intranter
> server.
>
> Again, the logic is in there, but I'd really appreciate some direct help
> on
> how to best set this up.
>
> I can't add a second FireWall, and the routers on the Internet side are
> Bay
> (so not easy to setup access lists) and already run BGP4 so I'd rather not
> add anything more to them which may cause them to falter in any way.
>
> Ideas and thoughts are welcomed.
>
> Please also forward a copy to my email address direct as well as to the
> group if you can of any thoughts you may have.
>
> Thanks Ahead,
>
> Mike Glassman
> System & Security Admin
> Israeli Airports Authority
> Ben-Gurion Airport
> http://www.ben-gurion-airport.co.il
>
> Tel : 972-3-9710785
> Fax : 972-3-9710939
> Email : [EMAIL PROTECTED]
>
> Usage of this email address or any email address at iaa.gov.il for the
> purpose of sales pitches, SPAM or any other such unwanted garbage, is
> illegal, and any person, whether corporate or alone doing so, will be
> prosecuted to the fullest possible extent.
>
>
>
>
>
>
> ==========================================================================
> ======
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ==========================================================================
> ======
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
