Bob, I just went through the same situation. There is an easy answer for you if you are running a Cisco router on your perimeter.
Use IP Authentication Proxy. All you have to do is download the crypto image of the latest IOS from Cisco and apply it to your router and then configure IP AUTH-PROXY. The second step is to authenticate this off of a TACACS+ or RADIUS database. I highly recommend TACACS+ (Cisco ACS server) because the whole transaction will be encrypted. Make all of your users go to the web server via HTTPS. This will cause everything to be encrypted throughout the entire transaction, its briliant. Let me know if you need more info? ----- Original Message ----- From: "Meidinger Chris" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; "'Bob Freeman'" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Thursday, August 07, 2003 3:48 AM Subject: AW: Securing Web access from internet I agree, authenticating on the firewall is the best way to go. checkpoint fw-1 and rsa secureid work great together too for this. badenIT GmbH System Support Chris Meidinger Tullastrasse 70 79108 Freiburg ______________ Es gibt 10 arten von Menschen auf dem Planeten, welche die Binär verstehen, und welche die es nicht tun. -----Ursprüngliche Nachricht----- Von: David Gillett [mailto:[EMAIL PROTECTED] Gesendet: Wednesday, August 06, 2003 10:57 PM An: 'Bob Freeman'; [EMAIL PROTECTED] Betreff: RE: Securing Web access from internet Years back, I worked on a network where we had a requirement like this, which we met by deploying a PIX as gateway with an attached TACACS+ server. Clients who telnetted to the gateway and authenticated against TACACS+ got access to the network beyond the gateway. More recently, I've been using some of the authentication services offered by CheckPoint's FW-1 firewall and BlueSocket's "wireless" security box. I suspect that user authentication as a firewall feature has become fairly widespread, although I'm not sure how common on boxes costing less than about $10K. David Gillett > -----Original Message----- > From: Bob Freeman [mailto:[EMAIL PROTECTED] > Sent: August 6, 2003 08:58 > To: [EMAIL PROTECTED] > Subject: Securing Web access from internet > > > > > Hi everyone, We have a web application on our LAN (based on > IIS) and we want to make this web application available from > the internet for specific users/workstation. 1)I want to > make sure that these users/workstation are authenticated > BEFORE accessing the local network. 2)I want to make sure > that the information transiting on the public network is > encrypted 3)I would prefer to not have anything to install > on the remote workstations (if possible) 4)I don't want a > VPN solution. I don't know much about the product I need but > I suppose it would be a kind of web relay/authentication > server installed in our DMZ. Do you have product to > propose? Thanks Bob Freeman > > -------------------------------------------------------------- > ------------- > -------------------------------------------------------------- > -------------- > --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------