On 2 Apr 98, you wrote: > TRUE if the site is a trusted site. The VPN allows all ports and > protocols between sites. I assumed it was a trusted site since the original question said there were two locations (uptown, downtown) for the same company. Also, most VPNs have some sort of "filtering" mechanism which allows you to control what ports and protocols are allowed thru the tunnel. > If it is just one box a VPN is great!! But What if it is a small > group of scattered IP addresses in an untrusted site. (I know, they > are already using Windows crap and possibly granting the keys to the > Kindom). But, is it sfaer to tunnel box to box or do a global fully > trusted VPN to a possibly untrusted site, and do they have a > firewall at both sites??? If not, maybe doing a VPN encrypted using > Gauntlet PC Extender on each PC that needs Windows communication to > the main firewalled site. I'm not sure I understand your point, but if the situation is as you describe - a few trusted hosts at an untrusted site - then host-to-host and host-to-firewall tunneling are options. But what about physical security?... are the hosts in the hostile environment physically secure? If not, the tunnels may have limited value. Before recommending a more complex solution I'd try to get a handle on the risk levels and the value of the data being protected. The tunnel doesn't give its user "free reign" over the host at the other end; he must also have the required permissions to access the desired data/services on the target host. In other words, he'd have to hack the tunnel and then the OS to get the goods illicitly. I guess I'm just trying to say that "simpler is better". The obvious stuff like physical security, good password selection, etc. oughta' be addressed before resorting to multiple tunnel arrangements. The additional cost and complexity should be justified by the value of the data being protected and the presence of a realisitic threat. Best Regards, James Moore > > -----Original Message----- > From: James Moore <jimat_private> > To: AC <ac0at_private>; ac0at_private <ac0at_private>; > firewall-wizardsat_private <firewall-wizardsat_private> Date: Thursday, > April 02, 1998 2:53 AM Subject: Re: TIS Gauntlet : WINS and Exchange > > > When faced with a similar situation last year, I used the VPN > feature to tunnel all the "network neighborhood" stuff through the > firewalls. That seemed to preserve all of the Windows networking > features, and do it more securely than the "generic" proxy service > on the firewall. > > James Moore > > On 31 Mar 98, you wrote: > > > Hey folks, > > > > So I am currently on a project that involves > > a number of m$ products; <sigh> > > "Know thy enemy" is what I always say > > though. > > > > check this: the company has 2 WINS servers, the primary > > one is in their uptown location. Their secondary is > > at their downtown location, where I am. > > So they do WINS resolution _over the INternet_. > > (no inter-office connectivity > > except through the net). Is WINS and port 137-139 > > netbios services the same thing? How the fsck does WINS > > work anyway? More importantly, how will I pass > > it through the Gauntlet firewall (plug-gw?) ( is there not > > the fear that somebody can just use smbclient and > > a cracked password to access the drives?) Not only > > that, but they do the Exchange database replication > > also _over the internet_. needless to say, their > > setup is fubar. but I have to know how does the m$ sexchange > > db replication work anyway? (which ports or anything) > > more importantly, how do I pass it through gauntlet? > > > > I believe I might have to just tcpdump > > on the wire and figure out what's happening, > > cause RFC1001 and RFC1002 aint fun reading. > > > > Suggestions, flames, comments welcome. > > --Anindya ................................................... : Bokler Software Corp. : : PO Box 261 : : Huntsville, AL 35804 : : tel: 205-539-9901 : : fax: 205-882-7401 : : www: http://www.bokler.com/ : ...................................................
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:54:04 PDT