Firewall Wizards mailing list archives
RE: Security of satellite links into an organisation
From: "LeGrow, Matt" <Matt_LeGrow () NAI com>
Date: Thu, 25 Jan 2001 11:31:25 -0800
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This sounds kind of like what the earliest hybrid cable-modem implementations were like. You would establish a link over a landline (in our case, a 33.6 PPP link to the ISP) and the return packets would get routed to the interface plugged into the cable modem. I found a decent solution for at least allowing all of the connections to terminate at one point was to set up a cheap linux box as the entry point to the ISP's network and as the entry point into our network. It ended up having three interfaces : one to our network (192.168.0.X), one to the ISP (a PPP interface) and one that was an interface configured with what the cable modem wanted us to be (10.0.0.1). Since the packets left over the PPP interface, and the return packets "arrived" at the interface connected to the cable modem, my packet filtering ruleset had to accomodate rules on both the PPP as well as the interface connected to the cable modem, which made things rather complicated, but generally gave me a warm fuzzy once I completed my fascist ruleset :-) If you can do something similar with your equipment at least in principle, where you can control all of the outbound and inbound interfaces on one machine, you should try to do so. Even if you can't control the inbound AND outbound effectively through one device, you can always plop some sort of firewall, router, whatever you want to control access behind the interface where the fat pipe comes into your network easily enough. Matt LeGrow Network Associates, Inc. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Note : Opinions expressed herein are most certainly NOT that of my employer :-)
-----Original Message----- From: Wigg, Guy G [mailto:GWigg () mail sbic co za] Sent: Thursday, January 25, 2001 9:43 AM Subject: [fw-wiz] Security of satellite links into an organisation Hi all Bandwidth in South Africa is expensive and the response times are not at all that great. We have decided that a good solution for surfing the net is via satellite. One of the SA ISPs offer this service. This would be the basic set-up, they supply a proxy (MS proxy) that they propose sits on the organisation's backbone network. The http request exits the organisation via our landlines to a proxy at the respective ISP. On exiting we obviously control the connection via the firewall we have in place. The ISP then sends the return WebPages to the organisation via the satellite dish. My question is what is the security risk of this set-up? We now have an unprotected pipe coming into the network. Agreed the hacker wouldn't get any responses since the dish can only receive (the responses would blocked by the land FW infrastructure). What risk would we be putting ourselves at? Any feedback on this would be greatly appreciated. thanks Guy _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
-----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1 Comment: Crypto Provided by Network Associates <http://www.nai.com> iQA/AwUBOnB/DfbW52zw8/NBEQK8UQCfT1o2fUD4uVw8WeVNWuKMw9sUn3QAoO8N DuLp5b1k6oJ/D+r3233zsaW1 =shcu -----END PGP SIGNATURE----- _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Security of satellite links into an organisation Wigg, Guy G (Jan 25)
- Re: Security of satellite links into an organisation Tom (Jan 26)
- Re: Security of satellite links into an organisation Chris Keladis (Jan 26)
- <Possible follow-ups>
- RE: Security of satellite links into an organisation Randy Garbrick (Jan 25)
- RE: Security of satellite links into an organisation LeGrow, Matt (Jan 25)
- Re: Security of satellite links into an organisation dharris (Jan 25)
- RE: Security of satellite links into an organisation Wigg, Guy G (Jan 26)
- RE: RE: Security of satellite links into an organisation Safier, Adam (GEIO) (Jan 26)
- Re: Security of satellite links into an organisation Tom (Jan 26)