Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Security of satellite links into an organisation

From: "LeGrow, Matt" <Matt_LeGrow () NAI com>
Date: Thu, 25 Jan 2001 11:31:25 -0800
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This sounds kind of like what the earliest hybrid cable-modem
implementations were like.  You would establish a link over a
landline (in our case, a 33.6 PPP link to the ISP) and the return
packets would get routed to the interface plugged into the cable
modem.

I found a decent solution for at least allowing all of the
connections to terminate at one point was to set up a cheap linux box
as the entry point to the ISP's network and as the entry point into
our network.  It ended up having three interfaces : one to our
network (192.168.0.X), one to the ISP (a PPP interface) and one that
was an interface configured with what the cable modem wanted us to be
(10.0.0.1).   Since the packets left over the PPP interface, and the
return packets "arrived" at the interface connected to the cable
modem, my packet filtering ruleset had to accomodate rules on both
the PPP as well as the interface connected to the cable modem, which
made things rather complicated, but generally gave me a warm fuzzy
once I completed my fascist ruleset :-)  

If you can do something similar with your equipment at least in
principle, where you can control all of the outbound and inbound
interfaces on one machine, you should try to do so.  Even if you
can't control the inbound AND outbound effectively through one
device, you can always plop some sort of firewall, router, whatever
you want to control access behind the interface where the fat pipe
comes into your network easily enough. 


Matt LeGrow
Network Associates, Inc.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Note : Opinions expressed herein are most certainly NOT that of my
employer :-)



-----Original Message-----
From: Wigg, Guy G [mailto:GWigg () mail sbic co za]
Sent: Thursday, January 25, 2001 9:43 AM
Subject: [fw-wiz] Security of satellite links into an organisation


Hi all

Bandwidth in South Africa is expensive and the response times 
are not at all
that great. We have decided that a good solution for surfing 
the net is via
satellite. One of the SA ISPs offer this service. This would 
be the basic
set-up, they supply a proxy (MS proxy) that they propose sits on
the organisation's backbone network.   

The http request exits the organisation via our landlines to 
a proxy at the
respective ISP. On exiting we obviously control the connection via
the firewall we have in place. The ISP then sends the return 
WebPages to the organisation via the satellite dish. My question is
what is  the security risk of this set-up? We now have an
unprotected pipe coming into the network. Agreed the hacker
wouldn't get any responses since  the dish can only receive (the
responses would blocked by the land FW  infrastructure). What risk
would we be putting ourselves at?  

Any feedback on this would be greatly appreciated.

thanks
Guy


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards



-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1
Comment: Crypto Provided by Network Associates <http://www.nai.com>

iQA/AwUBOnB/DfbW52zw8/NBEQK8UQCfT1o2fUD4uVw8WeVNWuKMw9sUn3QAoO8N
DuLp5b1k6oJ/D+r3233zsaW1
=shcu
-----END PGP SIGNATURE-----
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: