Fw: Securing Web access from internet

["Chris" <cstubbs () tampabay rr com>]

Bob,

    I just went through the same situation. There is an easy answer for you
if you are running a Cisco router on your perimeter.

    Use IP Authentication Proxy. All you have to do is download the crypto
image of the latest IOS from Cisco and apply it to your router and then
configure IP AUTH-PROXY. The second step is to authenticate this off of a
TACACS+ or RADIUS database. I highly recommend TACACS+ (Cisco ACS server)
because the whole transaction will be encrypted.

    Make all of your users go to the web server via HTTPS. This will cause
everything to be encrypted throughout the entire transaction, its briliant.

Let me know if you need more info?

----- Original Message ----- 
From: "Meidinger Chris" <chris.meidinger () badenit de>
To: <gillettdavid () fhda edu>; "'Bob Freeman'" <cm94 () hotmail com>;
<security-basics () securityfocus com>
Sent: Thursday, August 07, 2003 3:48 AM
Subject: AW: Securing Web access from internet


I agree, authenticating on the firewall is the best way to go.
checkpoint fw-1 and rsa secureid work great together too for this.

badenIT GmbH
System Support

Chris Meidinger
Tullastrasse 70
79108 Freiburg

______________

Es gibt 10 arten von Menschen auf dem Planeten,
welche die Binär verstehen, und welche die es nicht tun.



-----Ursprüngliche Nachricht-----
Von: David Gillett [mailto:gillettdavid () fhda edu]
Gesendet: Wednesday, August 06, 2003 10:57 PM
An: 'Bob Freeman'; security-basics () securityfocus com
Betreff: RE: Securing Web access from internet


  Years back, I worked on a network where we had a requirement
like this, which we met by deploying a PIX as gateway with an
attached TACACS+ server.  Clients who telnetted to the gateway
and authenticated against TACACS+ got access to the network
beyond the gateway.
  More recently, I've been using some of the authentication
services offered by CheckPoint's FW-1 firewall and BlueSocket's
"wireless" security box.  I suspect that user authentication
as a firewall feature has become fairly widespread, although
I'm not sure how common on boxes costing less than about $10K.

David Gillett


> -----Original Message-----
> From: Bob Freeman [mailto:cm94 () hotmail com]
> Sent: August 6, 2003 08:58
> To: security-basics () securityfocus com
> Subject: Securing Web access from internet
>
>
>
>
> Hi everyone,  We have a web application on our LAN (based on
> IIS) and we want to make  this web application available from
> the internet for specific  users/workstation.  1)I want to
> make sure that these users/workstation are authenticated
> BEFORE accessing the local network.  2)I want to make sure
> that the information transiting on the public  network is
> encrypted  3)I would prefer to not have anything to install
> on the remote  workstations (if possible)  4)I don't want a
> VPN solution.  I don't know much about the product I need but
> I suppose it would be a  kind of web relay/authentication
> server installed in our DMZ.   Do you have product to
> propose?  Thanks  Bob Freeman
>
> --------------------------------------------------------------
> -------------
> --------------------------------------------------------------
> --------------

---------------------------------------------------------------------------
----------------------------------------------------------------------------

---------------------------------------------------------------------------
----------------------------------------------------------------------------


---------------------------------------------------------------------------
----------------------------------------------------------------------------