|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
VPN to Remote Desktop
Holt, Gail (Gail.Holt
health.wa.gov.au)
Thu, 13 Nov 1997 12:39:43 +0800
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- Next message: Chris Booth: "Altavista v TIS toolkit on Linux, which is better?"
- Previous message: Douglas R. Steinbaum: "Re: chroot useful?"
Hi,
I run FW1 (currently V2.1c but soon to be 3.0b), SPARC 5, Solaris 2.5,
no NAT, 5 interfaces, a couple of DMZs. Our network is a B class, and
have approx 9,000 users. We are starting to get requests from external
networks to have access to information held on secure servers inside our
network. At the moment, no inbound traffic is allowed - only outbound.
I am looking for ways to grant these external users secure access to
these internal servers. Our network is classed as 'secure' (in our
minds anyway !), however any of our information traversing any external
network must be encrypted for confidentiality. FW-1 VPN only encrypts
firewall - firewall; I need a way to encrypt either from the internal
server to remote external desktop, or from our firewall to remote
external desktop. (Besides there's no guarantee that the external
network has a firewall at all.)
I really don't want any direct network connections, and let's forget
dial-in for the moment - there just has to be a better way. Also I am
lookin for a generic solution, as the server the exernals want to
connect to may be Oracle, Lotus Notes or anything else.
Solutions -
1. SecuRemote. The good book says that when configuring the SecuRemote
client, that the client must be online to the network...... I seem to
remember from previous fiddling with SecuRemote that this is because the
client then queries the manager (in this case our firewall) for keys and
encryption domain information. Can someone please confirm this ? If
so, then this solution is not appropriate and scalable - I can't start
asking people in remote networks to send in their PC while I configure
it here, then send it out again ! If this is not so, the book also says
that the manager (our firewall) needs to have a resolvable ip address...
this would mean that I would have to advertise my firewall on our public
DNS which I don't want to do.
2. Put a server on our DMZ, mirror any internal info we want to onto
this, put authentication on it (e.g. SecurID), and allow people in thru
the firewall to this server. (I personally prefer this, as it also
means that these external people aren't chewing up internal bandwidth,
and aren't directly accessing a production server, no matter how well
authenticated they are.) What would be the best way to encrypt the data
in this scenario ?
3. PPTP. Can someone tell me about this, and would this offer a
solution ?
Any ideas ? Thanks.
Gail
_______________________________________
Gail Holt
Internet Administrator
Health Department of WA
phone: (08) 9222 2429
email: gail.holthealth.wa.gov.au
All I ask for in life is the chance to prove that money can't make me
happy.
- Next message: Chris Booth: "Altavista v TIS toolkit on Linux, which is better?"
- Previous message: Douglas R. Steinbaum: "Re: chroot useful?"
This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:09:48 CDT