Re: Student Questions
From: The Robot (mail@therobot.com)Date: 08/04/02
- Next message: Hank Arnold: "Re: LAN security"
- Previous message: : "Re: Tools to use if to see/check if System is Vulnerable"
- In reply to: : "Student Questions"
- Next in thread: Markus: "Re: Student Questions"
- Reply: Markus: "Re: Student Questions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "The Robot" <mail@therobot.com> Date: Sun, 4 Aug 2002 10:36:38 +0100
I'm a network admin in this situation also.
> 1. Is setting up a firewall load balancing scheme worth the effort (and I
> assume expense)?
It could be, for failover purposes. If your internet access is mission
critical, then you need an alternative solution should a firewall fail.
Some firewalls can failover to a second box with relative ease, and the only
cost would be a standby box to which you upload your presaved config.
>
> 2. Some of the material I have on firewalls claims that firewalls cannot
> defeat tunneling, but yet I believe I saw in one article here that it is
> indeed now possible to stop this 'tunneling.' Who is correct?
I too would like to know more about this. Sorry I can't help you.
>
> 3. In your opinion, what is the most cost effective but secure firewall
> scheme? i.e. combination of router, load balancer, layered firewall
> (hardware ++ software) and encryption? (if I'm not making sense, please
> forgive me, as this is my first networking class :-).
I'm seriously looking at the WatchGuard FireBox series.
You get:
1) A FireBox 700 (250 concurrent users) for $1700 (!). Pay more
for the faster versions 1000, 4500 etc that support more users.
2) User access control either through NT Username & password,
secureID, IP address, or it's own internal database.
3) Auditing of site visited on any of the above. eg A report on
what sites Tom was looking at last Thursday.
4) WebBlocker to control site access, that can be adjusted on a
per user basis. Ongoing subscription costs are arounf $400/year for the 700
Model. Through WebBlocker you control who can see and download what, like
the .exe files you mention.
5) Failover to a second firebox. (Just check this though)
6) Can work with other routers on a network.
>
> On employees accessing the internet:
>
> 4. If a no surfing policy is in effect, I would assume the employees at
> these workstations have no need to access the internet in the first place.
> How hard is it to isolate the network of users from the internet that
> haven't a need to access it? Or remove all browsers, ftp and telnet
clients
> and make it so the install of executables are a privileged entity..?
I've answered this above. A proxy server does this normally. You give
everyone access at the desktop, and then block it at the proxy for those
users you don't want to have access to the internet. The WatchGuard has
proxying built in. You can even nail things down so they can only vist one
site!
Alternatively you buy Surfcontrol, WebSweeper etc.
>
> 5. Would it be cost prohibitive for the said company to set up something
> like a public computer lab that does have internet access for their
> employees to use on their own time?
Just the cost of the Workstations, which could be 486s! You give those
workstations access to just the parts of the Web that you want them to
(WebBlocker). You can even restrict the time of day that these were
operational, again using WebBlocker.
>
> TIA for your time;
>
> -Markus
> --
> To Reply: remove 4u
>
>
- Next message: Hank Arnold: "Re: LAN security"
- Previous message: : "Re: Tools to use if to see/check if System is Vulnerable"
- In reply to: : "Student Questions"
- Next in thread: Markus: "Re: Student Questions"
- Reply: Markus: "Re: Student Questions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
