Ihsan--
1. There is a Unix-based secure telnet project. Personally, I
use ssh as well as most of the rest of the world which is not to say stelnet
(??) is bad. If you can build ssh2 for your environment, I would recommend
it on a dedicated DMZ host with plug-gw running.
2. If you decide (via corporate or organizational security policy)
to offer in-bound SSL access to hosts, once again, place them in your DMZ and
restrict access (front and back sides) through your firewall
designs.
3. I know nothing about physically adding an interface to a
mainframe...I consider it pretty cool that I at least got to see and use the IBM
390 machines at my former University :)
4. translating publicly-accessible addresses into internal
addresses will be done via NAT and split DNS will take care of name
resolution.
5. Affecting performance is a broad description. If you stick
a Nokia IP650 with FW-1 in place of a Cisco 2500 with ACLs you will see a
performance increase. A SPARCStation 20 with FW-1 in place of a Cisco 7204
VXR with ACLs will see a reduction in performance. More information about
your topology would yield a more descriptive answer.
6. A TCP stack is essential to modern network communication.
Aside from the recent issues with TCP sequence number prediction as an exploit,
there isn't much to concern yourself with...the IP protocol suite was not
designed with security in mind; it was merely functional and fairly
efficient. If you're in a RACF environment (excellent host-based
authentication and authorization but no encryption capabilities)
you're just as well off as an external Unix host with wide-open telnet if
someone is able to sniff your line.
Chris
|