1998-04-29-23:23:41 ArkanoiD: > A question is: what non-IP protocols can be (and should be) firewalled? Given a broad enough definition of ``firewalled'', all of 'em. By that broad definition, the access router doing xtacacs to our SecurID server is the firewall for the dialup network (coming in on PRI). In the few cases I've had to deal with non-IP networks coming in (a couple of x.25-based feeds) I took the approach that since neither I nor anyone else in our firm had any knowlege of the security model and protocols used on the alien network, we'd just treat it as a portion of the trust zone belonging to the other company. Park a neutral machine out there to run their interface software, on a little one-host LAN, and make it accessible to our in-house network through a router that's doing NAT, and is configured to pass _nothing_ except outbound TCP 22 (ssh). This makes it easy to configure who can get at this box, and easy to get a handle on what damage this box can do --- namely, nothing but sabotage the data we're buying from the other company anyway. Happily, non-IP protocols seem to be dying out wherever you look. So this problem is fading with time, though other problems are certainly ramping up to take its place:-). -Bennett
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:57:50 PDT