Re: Firewall advice

From:
Date: 08/26/02 

Date: Mon, 26 Aug 2002 21:00:10 +1000

glassgnost <dlindnerSPAMBLOCKED@socal.rr.com> wrote in message
news:3D69A08C.1090801@socal.rr.com...
> NeoSadist wrote:
>
>
> > Does it HAVE to be secure? First of all, it sorta sounds pathetic to
ask
> > for max security plus 3 computers to share a 56K. Try to explain this
to
> > them.
> > But if they MUST have it that way, why not, instead of vpn or secure
vpn,
> > why not go with external LAN modem into linksys router (since they come
with
> > a NAT firewall and stateful packet inspection)? They could even go with
> > broadband at a cheaper cost than to run vpn or secure vpn. Besides, no
> > offense, 56K isn't enough bandwidth to share over 3 computers. With
today's
> > impatient society, it's not enough for even one computer hardly! lol
>
> Broadband may not be an option where he is.
>
> I've done this with Linux boxes. It'll do PPP in either static or
> dynamic mode. Use a free dynamic DNS account so the clients can find
> you. Use iptables/ipchains to lock her down, and PoPToP to support basic
> VPN for the clients (all current windows versions do pptp). It'll do
> encrypted passwords, but the stream will be clear packets - but that's
> OK for most cases because the RDP protocol encrypts. Make sure the
> termswerver and clients are configured as such.
>
> Just be aware that using POP3 etc over that link can and likely will
> give away secrets. Stick with encrypted protocols. Use different
> passwords for the link, the RDP session AND the boxes local accounts.
> Assuming that your client can cope. At least the Win32 pptp dialog lets
> the machine "remember" a complex password, thus relieving the user...
>
> --
> Mystical Reverend Doktor glassgnost, Minister of Unnatural Selection
> -- dlindner (at) socal (dot) rr (dot) com --
> Eternal Salvation or Triple Your Money Back!
> http://www.subgenius.com ...or kill me!
>
> What is tolerance? -- it is the consequence of humanity. We are all
> formed of frailty and error; let us pardon reciprocally each other's
> folly -- that is the first law of nature.
> -- Voltaire

This link has to have at least SOME attempt at security, as their head
office had been hacked in the past, and the link they had to the server that
has just been replaced was wide open.
I am not looking for Fort Knox type of security, more the 'If you did not
know it was there and did not purposely look for it, you would not know it
was there" type of security.

Broadband is out due to Cost... head office does not want to pay. Not sure
what costs are where you are but minimum cost here is $60/per month for
300MB limit (residential) Corporate pricing is usually treble this.
My first choice was to go for VPN gateway router like SMC Barricade or such,
but 56K dialup is all I have to work with.
56K is already in place to static IP.. so head office interstate knows where
to look for them, and happily paying current bill..
Remote users are connecting after hours and normally only at a time, but
allowance made for that odd occasion when they all wanted in at the same
time.
The VPN will only way for outside users to connect. what ports will I need
to leave open/monitor for VPN to Work?
Will I need to have any others open for the Terminal Server Client to use or
will it confine all its traffic to the VPN tunnel?

Most of the users inside the LAN do not have Internet access but email is
allowed to some. Other than the Terminal Server that The remote Users are
connecting to via VPN, no other services are to be visible to the outside.

Are iptables/ipchains internal Unix/Linux commands or are they external
programs?
Ditto for PoPToP?

Michael Warner
4 star computers @ optusnet . com . au ***remove the gaps (both in the
address, and in my knowledge***

Relevant Pages

  • RE: VPN and Security
    ... Do you mean for a more secure setup he should split tunnel? ... the split tunneling makes me think 'less secure' precisely ... network printer or accessing a share on the file server at the office. ... Subject: VPN and Security ...
    (Security-Basics)
  • Re: Another RWW versus VPN question
    ... Sarbanes Oxley and all other regulations are silent as to technology. ... One could argue that after the CISCO/Michael Lynn Blackhat/Vegas issue that Cisco isn't that secure. ... With VPN access, the data could be pulled over the wire to my home users, they "could" introduce more risk to my network if they are not patched, updates and protected. ... I have a client that recently had a programmer from a large security based company come by and demo the Access database he is working on for them. ...
    (microsoft.public.windows.server.sbs)
  • Re: Another RWW versus VPN question
    ... And after Blackhat I wouldn't be trusting of Cisco PIX either. ... One could argue that after the CISCO/Michael Lynn Blackhat/Vegas issue that Cisco isn't that secure. ... With VPN access, the data could be pulled over the wire to my home users, they "could" introduce more risk to my network if they are not patched, updates and protected. ... I have a client that recently had a programmer from a large security based company come by and demo the Access database he is working on for them. ...
    (microsoft.public.windows.server.sbs)
  • Re: Another RWW versus VPN question
    ... A Pix does not ...by itself make you more secure. ... VPN "can" make you more insecure. ... I have a client that recently had a programmer from a large security based ...
    (microsoft.public.windows.server.sbs)
  • RE: Re: Secure Intranet?
    ... need to have a minimum level of security that is in line with your policies. ... Sygate has a product that does security policy enforcement for VPN called ... Sygate Secure Enterprise. ... Sygate Secure Enterprise Data Sheet ...
    (Security-Basics)
Quantcast