-------- From academic-firewalls-owner@net.tamu.edu Mon Mar 17 21:08:25 1997 X-Mailer: ELM [version 2.4 PL24 ME8b] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Date: Tue, 18 Mar 1997 14:48:19 +1200 (NZT) From: Russell Fulton To: academic-firewalls@net.tamu.edu Subject: firewalls and authenticated connections Greetigns All, I have been off the list for a few months (went on leave in November and forgot to resubscribe when I returned) so if these issues have been covered in the last few months then please point me to the archive. We have recently contracted with a local ISP to provide dialup access for students to the campus network. We have an E1 link to the ISP and this lands on a router on our DMZ. We wish to make material available to these students (and later others who may com in from the internet) that we do not wish to make generally available via the Internet. (In some cases because of copyright issues and others because in the competitive climate of the 90's we don't want to share our teaching material with other institutions :-( ) Access will be IP only and mainly web but there is also some departments who will need telnet and ftp. Longer term we will also almost certainly be asked to support SMB. Long term, I believe, that we need to have authentication systems (preferably kerberos) built in to all servers that are not wholely public. But this is not practical in the immediate future with the resources available so I am looking for an interim solution that can be put in place fairly quickly at moderate cost. We are installing a DCE system for another project and we hope to be able to use the Kerberos component of this as an authentication server for this project. I have spent quite some time trying to work out the best way to do this. Most commercial firewall products that I have looked at appear to be built around the assumption that you have a few users that need authenticated access on the outside and lots who need unauthenticated access from the inside out. Our situation is that we have lots (1000s) of users who need authenticated access from the outside and none going out. Any experiences, thoughts on strategies or pointers to products will be most welcome. Cheers, Russell. +-------------------------------------------------------------------+ | Russell Fulton 'phone +64 9 373-7599 x 8955 | | ITSS fax +64 9 373-7425 | | University of Auckland email r.fulton@auckland.ac.nz | | Private Bag 92019 time gmt -12 (-13 oct - mar) | | Auckland, New Zealand. | +-------------------------------------------------------------------+ -------- From academic-firewalls-owner@net.tamu.edu Tue Mar 18 05:52:19 1997 X-PRIORITY: 3 (Normal) X-Mailer: Chameleon 5.0, TCP/IP for Windows, NetManage Inc. MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Date: Tue, 18 Mar 97 13:36:24 From: Ziv Dascalu To: academic-firewalls@net.tamu.edu Subject: RE: firewalls and authenticated connections - --- On Tue, 18 Mar 1997 14:48:19 +1200 (NZT) Russell Fulton wrote: >Greetigns All, > I have been off the list for a few months (went on >leave in November and forgot to resubscribe when I returned) so if >these issues have been covered in the last few months then please >point me to the archive. > >We have recently contracted with a local ISP to provide dialup access >for students to the campus network. We have an E1 link to the ISP and >this lands on a router on our DMZ. We wish to make material available >to these students (and later others who may com in from the internet) >that we do not wish to make generally available via the Internet. (In >some cases because of copyright issues and others because in the >competitive climate of the 90's we don't want to share our teaching >material with other institutions :-( ) > >Access will be IP only and mainly web but there is also some >departments who will need telnet and ftp. Longer term we will also >almost certainly be asked to support SMB. > >Long term, I believe, that we need to have authentication systems >(preferably kerberos) built in to all servers that are not wholely >public. But this is not practical in the immediate future with the >resources available so I am looking for an interim solution that can >be put in place fairly quickly at moderate cost. > >We are installing a DCE system for another project and we hope to be >able to use the Kerberos component of this as an authentication server >for this project. > >I have spent quite some time trying to work out the best way to do >this. Most commercial firewall products that I have looked at appear >to be built around the assumption that you have a few users that need >authenticated access on the outside and lots who need >unauthenticated access from the inside out. Our situation is that we >have lots (1000s) of users who need authenticated access from the >outside and none going out. > >Any experiences, thoughts on strategies or pointers to products will >be most welcome. > >Cheers, Russell. > I would suggest to talk with your ISP to allocate a range of IP's for the students calling in and define in the firewall that whole range (better use Ip & subnet ) as allowed to access the local network. /Ziv /~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\ | A B I R N E T Active Network Protection http://www.AbirNet.com | \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~/ \========== Get a BETA version at ============/ -------- From academic-firewalls-owner@net.tamu.edu Tue Mar 18 08:13:10 1997 X-PRIORITY: 3 (Normal) X-Mailer: Chameleon 5.0, TCP/IP for Windows, NetManage Inc. MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Date: Tue, 18 Mar 97 16:02:24 From: Ziv Dascalu To: academic-firewalls@net.tamu.edu Subject: RE: firewalls and authenticated connections - --- On Tue, 18 Mar 1997 14:48:19 +1200 (NZT) Russell Fulton wrote: > We wish to make material available >to these students (and later others who may com in from the internet) >that we do not wish to make generally available via the Internet I would suggest to talk with your ISP to allocate a range of IP's for the students calling in and define in the firewall that whole range (better use Ip & subnet ) as allowed to access the local network. /Ziv /~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\ | A B I R N E T Active Network Protection http://www.AbirNet.com | \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~/ \========== Get a BETA version at ============/