Re: VPN & Frame Routing (Zill, Greg)

["Chris Clamp" <chris.clamp () showads com au>]

Hi Greg,

Most routers have a number of routing protocols on them that you could use, but what you
would need to do here is set up a static route to send the default traffic out to the
VPN, and redistribute this through a routing protocol (EIGRP,OSPF,etc) so that the static
route is then known to all NOC sites. The IP address range that the financials, etc, are
situated on, this address range would be known through the routing protocol, and traffic
will head in the right direction.

Hope this helps

Cheers

firewall-wizards-request () nfr com wrote:

> Send firewall-wizards mailing list submissions to
>         firewall-wizards () nfr com
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         http://list.nfr.com/mailman/listinfo/firewall-wizards
> or, via email, send a message with subject or body 'help' to
>         firewall-wizards-request () nfr com
>
> You can reach the person managing the list at
>         firewall-wizards-admin () nfr com
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of firewall-wizards digest..."
>
> Today's Topics:
>
>    1. VPN & Frame Routing (Zill, Greg)
>    2. Re: Netscreen 50 (Barney Wolff)
>    3. Netscreen 50 (Boni Bruno)
>    4. Disabling NIC whem modem is connected (Fabio G. Baptista)
>    5. RE: Auth + content filtering? (=?iso-8859-1?Q?Diaz_Perez_=B7_Juan_Carlos?=)
>    6. RE: Netscreen 50 (Bill Jaeger)
>    7. Re: Link from DMZ to Internal Apps (Joseph Steinberg)
>    8. Re: Link from DMZ to Internal Apps (R. DuFresne)
>
> --__--__--
>
> Message: 1
> Date: Mon, 18 Feb 2002 11:32:42 -0600
> From: "Zill, Greg" <Greg.Zill () owh com>
> To: <firewall-wizards () nfr com>
> Subject: [fw-wiz] VPN & Frame Routing
>
> I would like to maintain both a frame connection and VPN connectivity =
> between two NOC sites, but not sure how to selectively, or otherwise, =
> make traffic take one path vs. the other. I have heard mention OSPF, but =
> know little about its implementation. The VPN would be used for active =
> directory primarily, while the frame would be used for financials. =
> Please advise.
>
> gregory w zill, mba
> Firewall Administrator
> Omaha World Herald Company
> Landmark Center
>
> --__--__--
>
> Message: 2
> Date: Mon, 18 Feb 2002 13:03:56 -0500
> From: Barney Wolff <barney () databus com>
> To: Malcolm Joosse <malcolm () hotlinesupport com>
> Cc: firewall-wizards () nfr com
> Subject: Re: [fw-wiz] Netscreen 50
>
> What security policy are you trying to enforce?  I may be ignorant,
> but this is the first I've heard of an ISP trying to firewall its
> total user population.  Would a simple router ACL do what you want?
>
> Are DS3's so cheap that a one-time $10k is even noticeable compared
> to the monthly bill for bandwidth?
>
> On Mon, Feb 18, 2002 at 12:51:09PM +1100, Malcolm Joosse wrote:
> > Hello All,
> > I am new to this list, I tried searching the archives to find this info.
> > We are a medium sized ISP in Australia.  We run a Full 45Mb DS3 link.
> > We are/were running Watchguard Firebox 2 and have found that since we
> > upgraded the DS3 link to the full 45Mb our Firebox is having a hard time
> > with all the traffic.  While I cannot complain about the Watchguard
> > products, we thought we would ask around about different firewall
> > options.  I have received many suggestions from my peers about different
> > solutions.  We were looking at:
> > Watchguard Firebox 2500 - Seems like a office firewall and not a ISP
> > firewall - Good pricing
> > Cisco PIX  - good product, VERY $$$$$ - out of our budget
> > Netscreen 50 - Good features and good pricing - Top of the list
> > *NIX/IPtables - To fiddley and hard to find admins
> > GNAT - More suitable for a office enviroment
> > ?????  any other suggestions ?
> >
> > The Cost is a major part of this new purchase.  I do not want to spend
> > more than USD$10,000.00 as I have seen many products in this price
> > range.  We have been offered a netscreen 50 for evaluation, but as time
> > is critical, I thought I would ask about the Netscreen to get a insight
> > and avoid wasting time on testing something that is not suitable.
>
> --
> Barney Wolff
>
> --__--__--
>
> Message: 3
> Date: Mon, 18 Feb 2002 11:39:01 -0800
> From: "Boni Bruno" <bbruno () dsw net>
> To: firewall-wizards () nfr com
> Subject: [fw-wiz] Netscreen 50
>
> Malcolm,
>
> Netscreen is a fine firewall with a lot of features for the money.
> However, the Netscreen 50 does not have device redundancy where as
> the NS 100 and above do have device redundancy with ms fail over.  This
> is an important feature to consider for future expansion and obviously
> avoiding a single point of failure.  The NS 100 is also 10K, but its
> replacement is the NS 204 which is around 12K.  If you can afford a
> little
> more, the NS 204 offers much more growth and can easily be configured in
> a redundant manner in the future when your finances allows it.
>
> Plus you get an additional DMZ port on the NS204 (total of 4), and 8
> ports
> total with the NS208 option, but the NS208 may be out of your price
> range.
>
> Cheers,
>
> -boni bruno
>
> > Message: 3
> > Date: Mon, 18 Feb 2002 12:51:09 +1100
> > From: "Malcolm Joosse" <malcolm () hotlinesupport com>
> > To: <firewall-wizards () nfr com>
> > Subject: [fw-wiz] Netscreen 50
> >
> > Hello All,
> > I am new to this list, I tried searching the archives to find this info.
> > We are a medium sized ISP in Australia.  We run a Full 45Mb DS3 link.
> > We are/were running Watchguard Firebox 2 and have found that since we
> > upgraded the DS3 link to the full 45Mb our Firebox is having a hard time
> > with all the traffic.  While I cannot complain about the Watchguard
> > products, we thought we would ask around about different firewall
> > options.  I have received many suggestions from my peers about different
> > solutions.  We were looking at:
> > Watchguard Firebox 2500 - Seems like a office firewall and not a ISP
> > firewall - Good pricing
> > Cisco PIX  - good product, VERY $$$$$ - out of our budget
> > Netscreen 50 - Good features and good pricing - Top of the list
> > *NIX/IPtables - To fiddley and hard to find admins
> > GNAT - More suitable for a office enviroment
> > ?????  any other suggestions ?
> >
> > The Cost is a major part of this new purchase.  I do not want to spend
> > more than USD$10,000.00 as I have seen many products in this price
> > range.  We have been offered a netscreen 50 for evaluation, but as time
> > is critical, I thought I would ask about the Netscreen to get a insight
> > and avoid wasting time on testing something that is not suitable.
> >
> > Regards
> > Malcolm Joosse=20
> > Hotline Support (Total IT Solutions)=20
>
> --__--__--
>
> Message: 4
> From: "Fabio G. Baptista" <fbaptista () e-dablio com>
> To: 'Firewall Wizards' <firewall-wizards () nfr com>
> Date: Mon, 18 Feb 2002 17:01:27 -0300
> Subject: [fw-wiz] Disabling NIC whem modem is connected
>
> Hi wizards,
>
> Is there a way to disable the NIC of a Windows based machine when the =
> modem
> is connect to the Internet ?
> I think that a machine connect to the internet via modem and plugged to =
> the
> internal LAN can be a security risk, while it is bypassing the =
> firewall.=20
>
> Thanks,
>
> F=E1bio G. Baptista
> e-Dablio Project Management
> Tel.: + 55 21 3852-0650
> http://www.e-dablio.com <http://www.e-dablio.com>=20
>
> --__--__--
>
> Message: 5
> From: =?iso-8859-1?Q?Diaz_Perez_=B7_Juan_Carlos?= <JuanCarlos.Diaz () atosodsorigin com>
> To: Tamas FORJAN <tamas () 2fkft com>, firewall-wizards () nfr com
> Subject: RE: [fw-wiz] Auth + content filtering?
> Date: Mon, 18 Feb 2002 21:52:53 +0100
>
> I think you should change the orther of your rules this way:
>
>         Src                   Dst     Srv             Act
>         PrivUsers@InternalNet Any     http            ClientAuth
>         MP3Users@InternalNet  Any     http            ClientAuth
>         Any                   Any     http->mp3filter Reject
>
> If this works please, let me know.
>
> HTH :)
>
> JUAN CARLOS D=CDAZ P=C9REZ
>
> > -----Mensaje original-----
> > De:   Tamas FORJAN [SMTP:tamas () 2fkft com]
> > Enviado el:   domingo 17 de febrero de 2002 23:27
> > Para: firewall-wizards () nfr com
> > Asunto:       [fw-wiz] Auth + content filtering?
> > =20
> > Hello,
> > =20
> > I would like to know whether you know a way to implement HTTP file =
> access
> > control based on file extensions and authentication.
> > =20
> > Basically, what I would like to do is to set up different user groups =
> for
> > different kinds of file access. Not everybody should be able to =
> access MP3
> > files, WMA files and such. My idea is to set up groups for those =
> people
> > who
> > need access to these 'privileged' file types.
> > =20
> > What I tried already was to set up resources to filter content, along =
> with
> > partially automatic client auth. My rulebase looked the following:
> > =20
> > Src                   Dst     Srv             Act
> > PrivUsers@InternalNet Any     http            ClientAuth
> > Any                   Any     http->mp3filter Reject
> > MP3Users@InternalNet  Any     http            ClientAuth
> > =20
> > The result of the above is that PrivUsers can properly authenticate =
> and
> > have
> > access, but no users in the MP3Users group can authenticate at all. =
> They
> > receive 3 different authentication windows from their browser, but at =
> the
> > end, they receive the following error:
> > =20
> > Error 401
> > FW-1 at wreport: Unauthorized to access the document.
> > Authorization is needed for FW-1.
> > The authentication required by FW-1 for tforjan is: unknown.
> > Reason for failure of last attempt:
> > =20
> > What worries me is the 'authentication required by FW-1 for tforjan =
> is:
> > unknown.' clause, because this user has a defined authentication =
> scheme:
> > FireWall-1 Password.
> > =20
> > No matter how many rules you set up, only the first authentication =
> rule
> > will
> > allow successful authentication. All the others will fail with the =
> above
> > message.
> > =20
> > Do you have any idea why?
> > =20
> > Do you have any idea how to implement the desired functionality in =
> any
> > other
> > way?
> > =20
> > Environment: Nokia IP440, IPSO 3.4.2, CP NG FP1.
> > =20
> > Thank you.
> > =20
> > --
> > FORJAN Tamas
> > Technical Support
> > 2F 2000 Szamitastechnikai es Szolgaltato Kft.
> > http://www.2f.hu/
> > =20
> > _______________________________________________
> > firewall-wizards mailing list
> > firewall-wizards () nfr com
> > http://list.nfr.com/mailman/listinfo/firewall-wizards
>
> --__--__--
>
> Message: 6
> From: "Bill Jaeger" <wlj () interNook net>
> To: "Malcolm Joosse" <malcolm () hotlinesupport com>
> Cc: <firewall-wizards () nfr com>
> Subject: RE: [fw-wiz] Netscreen 50
> Date: Mon, 18 Feb 2002 16:23:37 -0500
>
> Hi Malcolm,
>
> Unfortunately, I can't comment on the NetScreen as compared to the other
> firewalls.  However, I wanted to point out that the GNAT Box firewalls are
> not limited to "office" applications.  The higher end models (GB-Flash and
> GB-1000) may well meet your needs.  Pricing is quite attractive, too.  I
> believe that the list price on the GB-Flash is $1500 USD and the GB-1000 is
> $2700 USD.
>
> The GB-1000 is a 1RU appliance with 4x100Mbps Ethernet interfaces and an
> Intel Celeron 500MHz processor.  The GB-Flash allows you to deploy the
> firewall on whatever Intel-based hardware platform you choose.  You can find
> out more information at http://www.gnatbox.com .
>
> I've been using a GB-1000 for about 1.25 years to segregate 4 different
> 100Mbps full duplex network segments with a fairly rigid rule set.  In doing
> so, I haven't noticed any significant performance degradation.  I suspect
> that if it works OK in my environment, it should work OK in yours (but be
> sure to verify!  ;)
>
> BTW, I have no relationship to GTA (the company that makes the GNAT Box)
> other than as a reasonably satisfied customer.
>
> Please let me know if you'd like additional info.
>
> -Bill
>
> > -----Original Message-----
> > From: firewall-wizards-admin () nfr com
> > [mailto:firewall-wizards-admin () nfr com]On Behalf Of Malcolm Joosse
> > Sent: Sunday, February 17, 2002 8:51 PM
> > To: firewall-wizards () nfr com
> > Subject: [fw-wiz] Netscreen 50
> >
> >
> > Hello All,
> > I am new to this list, I tried searching the archives to find this info.
> > We are a medium sized ISP in Australia.  We run a Full 45Mb DS3 link.
> > We are/were running Watchguard Firebox 2 and have found that since we
> > upgraded the DS3 link to the full 45Mb our Firebox is having a hard time
> > with all the traffic.  While I cannot complain about the Watchguard
> > products, we thought we would ask around about different firewall
> > options.  I have received many suggestions from my peers about different
> > solutions.  We were looking at:
> > Watchguard Firebox 2500 - Seems like a office firewall and not a ISP
> > firewall - Good pricing
> > Cisco PIX  - good product, VERY $$$$$ - out of our budget
> > Netscreen 50 - Good features and good pricing - Top of the list
> > *NIX/IPtables - To fiddley and hard to find admins
> > GNAT - More suitable for a office enviroment
> > ?????  any other suggestions ?
> >
> >
> > The Cost is a major part of this new purchase.  I do not want to spend
> > more than USD$10,000.00 as I have seen many products in this price
> > range.  We have been offered a netscreen 50 for evaluation, but as time
> > is critical, I thought I would ask about the Netscreen to get a insight
> > and avoid wasting time on testing something that is not suitable.
> >
> > Regards
> > Malcolm Joosse
> > Hotline Support (Total IT Solutions)
> > _______________________________________________
> > firewall-wizards mailing list
> > firewall-wizards () nfr com
> > http://list.nfr.com/mailman/listinfo/firewall-wizards
>
> --__--__--
>
> Message: 7
> From: "Joseph Steinberg" <joseph () whale-com com>
> To: <firewall-wizards () nfr com>
> Cc: <yamadog35 () yahoo com>
> Subject: Re: [fw-wiz] Link from DMZ to Internal Apps
> Date: Mon, 18 Feb 2002 23:15:31 -0500
>
> For "external access to internal applications" in cases where a VPN is
> overkill, you may want to consider the e-Gap System, which was designed with
> securing that type of access in mind.
>
> http://www.whalecommunications.com/1900a.htm
>
> J Steinberg
>
>             _.._
>            (_.-.\         Joseph Steinberg
>        .-,       `        Director of Technical Services
>   .--./ /     _.-""-.     Whale Communications
>    '-. (__..-"       \
>       \          a    |   joseph () whale-com com
>        ',.__.   ,__.-'/   (201) 947-9177 x1511
>          '--/_.'----'`    http://www.whalecommunications.com
>
> --__--__--
>
> Message: 8
> Date: Tue, 19 Feb 2002 01:05:16 -0500 (EST)
> From: "R. DuFresne" <dufresne () sysinfo com>
> To: "Marcus J. Ranum" <mjr () nfr com>
> Cc: Guess Who <yamadog35 () yahoo com>, firewall-wizards () nfr com
> Subject: Re: [fw-wiz] Link from DMZ to Internal Apps
> Organization: sysinfo.com
>
> It seems to me that there might well be an area here that is still
> ignored.  Even with strict access and authentication mechinisms in place,
> in an environment whence there is this lax concept of data security, and
> considering that much of this data is personal for those people it is
> maintained upon, but, impersonal to those that use the data in the course
> of their work, the risk remains, that once the data has been scarfed up by
> one for their job, and especially those folks working from home, or in
> partnership relations via VPN's, how secure does that data then remain?
> An encrypted VPN tunnel only protects that data in transit, not once the
> data is parsed down to a users laptop or home machine, once it leaves the
> perimiter how secure remains the confidentiality of that data?  Thus the
> mention by many about policies.  Those policies, and HIPPA regulations,
> are required to deal with data leakage once the data has been 'securely'
> transmitted as well.
>
> Thanks,
>
> Ron DuFresne
>
> On Mon, 18 Feb 2002, Marcus J. Ranum wrote:
>
> > > Due to departure of more experienced security minds in
> > > our healthcare organization, I am faced with making
> > > inexperienced decisions on demands for external access
> > > to internal applications.
> >
> > One thing to get familiar with is HIPAA - it's a government
> > guideline/standard "protecting the confidentiality and integrity of
> > 'individually identifiable health information,' past, present or future."
> > You should make sure that whatever access you're providing
> > is OK under HIPAA...
> >
> > > Our Web
> > > dev team just released a "portal" for these users that
> > > aggregates some of the info they need and we have this
> > > available on the outside via our DMZ environment, but,
> > > of course, they want more.
> >
> > Presumably the "portal" is using some kind of security, yes?
> > Maybe SSL on the links at a minimum? ..?
> >
> > >  As more of our legacy
> > > internal apps move to Web, these users want us to
> > > simply "link" them to these internal apps from the
> > > externally available portal.  This to me would appear
> > > to simply bring external users directly to the inside
> > > defeating the purpose of the separate web environment
> > > in the DMZ.
> >
> > Actually the fact that your organization is set up so that
> > some bunch of Web Developers can just build and deploy
> > a "portal" (whatever that is...) without having to interface
> > with your security practitioners indicates to me that you're
> > probably already in trouble, security-wise...
> >
> > Normally, I wouldn't recommend a strategy like this, but
> > since it sounds like a plate of spaghetti has dropped in your
> > lap. I'd recommend you pursue a vigorous offensive of butt-covering
> > while you get spun up on healthcare security and computer
> > security. You can use the "I am getting spun up on this stuff..."
> > as a dodge to delay whatever insecure deployments you can
> > until you learn enough so you can judge the wisdom or non-wisdom
> > of any security-related deployments yourself. You've got what
> > sounds to me like a potentially nasty situation. Any organization
> > where the end users feel empowered to just deploy stuff and/or
> > apply that kind of pressure on the security organization without
> > any administrative checks and balances is almost guaranteed to
> > have serious security failures.
> >
> > mjr.
> > ---
> > Marcus J. Ranum          Chief Technology Officer, NFR Security, Inc.
> > Work:                           http://www.nfr.com
> > Personal:                      http://www.ranum.com
> >
> > _______________________________________________
> > firewall-wizards mailing list
> > firewall-wizards () nfr com
> > http://list.nfr.com/mailman/listinfo/firewall-wizards
>
> --
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>         admin & senior security consultant:  sysinfo.com
>                         http://sysinfo.com
>
> "Cutting the space budget really restores my faith in humanity.  It
> eliminates dreams, goals, and ideals and lets us get straight to the
> business of hate, debauchery, and self-annihilation."
>                 -- Johnny Hart
>
> testing, only testing, and damn good at it too!
>
> --__--__--
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () nfr com
> http://list.nfr.com/mailman/listinfo/firewall-wizards
>
> End of firewall-wizards Digest

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards