Couldn't you also control access to particular servers via user properties
on the location tab?
This way you could isolate a user account to particular servers and only use
a global rule in the rule base.
-----Original Message-----
From: Mr.Bert Winston [mailto:[EMAIL PROTECTED]]
Sent: Sunday, January 21, 2001 12:24 PM
To: Ivan Fox; fw-1-mailinglist (e-mail); fw-wiz; Fw1-Wizards (E-mail)
Subject: RE: [FW1] Do these solutions post unacceptable security risk?
IMHO
1) - dedicated line to vendor
2) - RSA/ACE Server using SecurID over the net - works well
but can be expensive.
3) - Setup a VPN between yourself and the vendor over the net.
Just remember, once you give the vendor access to your internal
servers they will be able to access all your servers. ;>
L8r
Cyn
"...Security is not something you can buy. No matter what
vendors try to tell you. Security is something you live..."
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Ivan
> Fox
> Sent: Sunday, January 21, 2001 12:18 PM
> To: fw-1-mailinglist (e-mail); fw-wiz; Fw1-Wizards (E-mail)
> Subject: [FW1] Do these solutions post unacceptable security risk?
>
>
>
> There are a number of unix-based and NT-based application servers on the
> internal network. They are so special that the vendor needs to
> access these
> servers from the Internet to trouble-shoot and support, when needed.
>
> The following are proposed "solutions", your comments/suggestions are
> appreciated.
>
> 1) SSH for Unix-based servers
>
> 2) VNC for NT-based servers
>
> 3) VPN for both Unix and NT servers.
>
> In these cases, we need to drill a number of holes on the
> firewall to allow
> port 22, 5900 or/and 50 to pass through. We want to "vendor" to be
> authenticated by Check Point Firewall-1 before allowing them to
> come in and
> then access ONLY those servers.
>
> The rule would be
>
> src dst service action
> vendor ip encryption-domain-x 50 client-auth
> consists of ip of
> unix-nt servers
>
> Would such "design" post any security risk to us?
>
> Any comments/suggestions are appreciated.
>
> Dave
>
>
>
>
> ==================================================================
> ==============
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ==================================================================
> ==============
============================================================================
====
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
