On Thursday, October 15, 1998 4:08 AM, Dark Shadows
[SMTP:[EMAIL PROTECTED]] wrote:
> MS Proxy isn't your best bet, and from my small knowledge of Linux you
will
> have a great deal of work ahead of you. You might look at another
firewall
> soln like Checkpoint's Firewall 1. We used it in conjunction w/ MS Proxy
> 2.0 to force the users to be NT Authenticated and then made the Firewall
> accept requests only from the exchange server and the Proxy server all
other
> internal requests are denied. I don't know if Firewall 1 will support
x.400
> traffic though. Also Does the 400 traffic need to get to the Internet or
is
> it internal to their private WAN???
>
Hi, and thanks.
This is, in fact, what I now intend to do, though using the TIS toolkit on
a Linux system. Initially I will have the Proxy server (with a single
network card) and the mail server on the internal network, and a Linux
system straddling the internal and external networks, then use the IP
forwarding tools on Linux to control traffic to/from the Internet.
Because all the users will use the Proxy Server, I only need to allow
traffic to/from the Proxy and mail servers, everything else will be
rejected. That way, the users HAVE to use the Proxy Server, and I can
authenticate them against their NT logon and monitor their usage, which are
prime requirements. The only technical complication is that when someone
needs a new service, say secure HTTP, I need to enable it not only on the
Proxy Server, but also on the Linux system. Not exactly onerous.
I'm boning up on the other security issues now. For example, I guess that
I'll need to disable most services on the gateway, so that no one can
telnet/ftp etc to it and compromise the system that way. I gather that the
TIS toolkit allows a further degree of control in this area, so that I can
log suspicious events.
My next project will be testing the theory. I've set up a Linux box as
above and know that it can be done technically, but I need to find out if
there are security weaknesses or known exploits which blow the paper theory
wide apart.
Regards
Neil
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
