| T.R | Title | User | Personal
Name | Date | Lines |
|---|
| 4616.1 | Re: https/ssl secured access over two firewalls? | QUABBI::"stuart@nsl-too.pa.dec.com" | Stephen Stuart | Thu Apr 17 1997 15:44 | 19 |
| small@gidday.enet.dec.com wrote:
: Title: https/ssl secured access over two firewalls?
:
: We are trying to solve an IP connectivity problem over multiple
: companies Intranets. The requirements are for a select group of users
: at company A to access WWW and FTP sites inside the Intranet of company
: B.
We use AltaVista Tunnel to do this kind of thing between Digital and
other companies with whom we require such access.
Stephen
--
- -----
Stephen Stuart stuart@pa.dec.com
Network Systems Laboratory
Digital Equipment Corporation
[posted by Notes-News gateway]
|
| 4616.2 | tunnels are a problem | GIDDAY::SMALL | | Thu Apr 17 1997 21:08 | 17 |
| Hi Stephen,
> We use AltaVista Tunnel to do this kind of thing between Digital and
> other companies with whom we require such access.
Unfortunately tunneling software is not an acceptable proposal to
company A, because they have no visibility of the traffic into their
network - they will not be directly managing the tunnel client
software.
The only way that I can see around this is to install a private network
inside Company A, and a second firewall between the private network and
company A Intranet. Do you know of any alternatives to this scheme
that would satisfy both the privacy and audit requirements?
Allan
|
| 4616.3 | Re: https/ssl secured access over two firewalls? | QUABBI::"stuart@nsl-too.pa.dec.com" | Stephen Stuart | Fri Apr 18 1997 00:54 | 37 |
| small@gidday.enet.dec.com wrote:
: Title: https/ssl secured access over two firewalls?
: Reply Title: tunnels are a problem
: Unfortunately tunneling software is not an acceptable proposal to
: company A, because they have no visibility of the traffic into their
: network - they will not be directly managing the tunnel client
: software.
I'm not sure that I understand what this means, particularly "no
visibility of the traffic." The tunnel router can run screend to
control what kind of traffic is allowed to flow through the tunnel,
and can run gated to control what routes are announced via the tunnel
(you also want to run screend, in case the other side has static
routes). Each company would control their end in such fashion, and
with what amounts to a screening router at each end, the traffic
allowed would be the intersection of the sets of traffic that A allows
and that B allows. This is exactly what you propose below:
: The only way that I can see around this is to install a private network
: inside Company A, and a second firewall between the private network and
: company A Intranet. Do you know of any alternatives to this scheme
: that would satisfy both the privacy and audit requirements?
The "private network" is the tunnel. Privacy is provided by
screend. Auditing is provided by having screend log packets (be
careful that the log disk doesn't fill up). If they prefer, the tunnel
machines can act as application relays instead of routers, and logging
can be performed at the application layer. Or some of both.
Stephen
--
- -----
Stephen Stuart stuart@pa.dec.com
Network Systems Laboratory
Digital Equipment Corporation
[posted by Notes-News gateway]
|
| 4616.4 | | GIDDAY::SMALL | | Fri Apr 18 1997 02:15 | 9 |
| Hi Stephen,
Thanks for the update.
Are you refering to the use of a group tunnel? In this case, the
security managers at each company would need to directly manage their
end of the tunnel (outside of the users control)?
Allan
|
| 4616.5 | Re: https/ssl secured access over two firewalls? | QUABBI::"stuart@nsl-too.pa.dec.com" | Stephen Stuart | Fri Apr 18 1997 04:44 | 25 |
| small@gidday.enet.dec.com wrote:
: Title: https/ssl secured access over two firewalls?
: Reply Title: (none)
: Thanks for the update.
:
: Are you refering to the use of a group tunnel? In this case, the
: security managers at each company would need to directly manage their
: end of the tunnel (outside of the users control)?
Yes. Even in the case of personal tunnels, though, each tunnel server
would need to be managed in terms of what access it provided. I hope
this isn't going in the direction of trying to find a solution that
circumvents the security managers.
Tunnels are just software wires. No matter the nature of the wire, you
still need to pay attention to what you allow to happen over that
wire.
Stephen
- -----
Stephen Stuart stuart@pa.dec.com
Network Systems Laboratory
Digital Equipment Corporation
[posted by Notes-News gateway]
|
| 4616.6 | Looking for other solutions | GIDDAY::SMALL | | Mon Apr 21 1997 00:24 | 30 |
| Hi Stephen,
> Yes. Even in the case of personal tunnels, though, each tunnel server
> would need to be managed in terms of what access it provided. I hope
> this isn't going in the direction of trying to find a solution that
> circumvents the security managers.
No, exactly the opposite. The problem is that each security
manager, and the business unit have incompatible views on tunnels.
>
> Tunnels are just software wires. No matter the nature of the wire, you
> still need to pay attention to what you allow to happen over that
> wire.
Yes - setting up a full PVN with its own firewall could solve this
problem, but would require considerable effort, including a great deal
of negotiation and a redesign of the network. From the users
perspective, PC tunnel clients are impractical (there are already two
screens on the desk - neither is a PC).
IMHO establishing a PVN is a worthwhile long term project, but tunnels
are not the only way to provide secure access from an untrusted network
(eg single use passwords, SSL, etc). What we are looking for is a
creative short term solution that would solve our business problem
(secure WWW/FTP access across the two firewalls).
Thanks for your help
Allan
|