Does anyone know of a program that will accomplish this?
TIA,
Bruce
A Virtual Private Network feature will do the trick. Your
remote PC's would use VPN client software which would
encrypt traffic from them across the Internet. If your firewall
has the feature, it can assign an IP address to those clients
that is legal inside your firewall and let that traffic in.
If your firewall does not support this, you can get a VPN
box from companies like Compatible Systems, RedCreek,
VPNet, and others.
Here are some VPN related links for more information:
http://www.isportal.com/vpn/
http://www.securitydynamics.com/webinars/tsld001.html
http://www.vpn.outer.net/
http://www.itserv.com/
http://www.uq.net.au/~zzdmacka/the-nat-page/
http://alumni.caltech.edu/~dank/peer-nat.html
http://www.nwfusion.com/reviews/0510rev.html
http://www.vpninsider.com/
http://www.redcreek.com
http://www.vpnet.com
http://www.timestep.com
Hope that helps you get started!
Craig Wiesner
Bruce Varney wrote:
--
******************************************
WK Multimedia Network Training
InternetWorking Education Specialists
http://www.wkmn.com
Visit our Technical Reference Library
Click through and buy books and we donate
all proceeds to feed the homeless.
http://www.wkmn.com/refer.html
******************************************
>Our company has set up a firewall (SCO's Internet Security Package), but
>need a way to authorize outside access automatically. Two of our
>employees (it's a small company of 6) are outside of the office (in
>different timezones, actually), and need to be able to connect remotely
>through a local ISP. Neither ISP offers dedicated IP access, so we need
>some type of authorization mechanism that will open up access through
>the firewall to a specific IP after some sort of sign-on process so they
>have access to the WinNT server, telnet access to various machines
>inside the firewall, etc.
There's probably nothing exactly like you want, since it'd be too easy
to compromise.
Instead, why not install ssh and open its port up to the two ISP's
address ranges? That limits the directions from which attacks can
come, while still providing a reasonable amount of security.
Another plan might be to set up a DMZ: Put a second small Unixish box
out as the gateway to the Internet. (This can be a spare 486, because
the box won't need to run X or any of a number of other hungry
services.) Open up only ssh inbound access to this box, and uninstall
virtually everything else on the box. Then on the "real" Unix box,
allow ssh inbound access from the gateway only. Then the employees
can log into the gateway, and then ssh in through the firewall.
A side benefit of this architecture is that you double the firewall
protection. Also, if you use a different OS for the gateway than your
main Unix box, you usually increase your protection even more because
it's rare for two different OSes to be vulnerable to the same exploits
at the same time. It doubles the number of tricks that an intruder
has to know to be able to break in.
Of course, your routing configuration becomes a bit more squirrelly,
and the remote employees will have a bit more work to do to get
inside, but IMO that's an acceptable consequence of having remote
employees.
= Warren -- http://www.cyberport.com/~tangent/
> Bruce Varney <var...@mail.hsonline.net> wrote:
>
> >Our company has set up a firewall (SCO's Internet Security Package), but
> >need a way to authorize outside access automatically. Two of our
> >employees (it's a small company of 6) are outside of the office (in
> >different timezones, actually), and need to be able to connect remotely
> >through a local ISP. Neither ISP offers dedicated IP access, so we need
> >some type of authorization mechanism that will open up access through
> >the firewall to a specific IP after some sort of sign-on process so they
> >have access to the WinNT server, telnet access to various machines
> >inside the firewall, etc.
>
> There's probably nothing exactly like you want, since it'd be too easy
> to compromise.
You can do this with IPSec using Cyberguard and Ravlinsoft from Red Creek.
Or, you can add a Ravlin{4|10} box in front of the existing firewall and
still use Ravlinsoft on the client machines.
I believe Cyberguard has a pdf on it under the VPN section of their
webpage. Http://www.cyberguard.com
--
Joseph W. Shaw - js...@insync.net
Freelance Computer Security Consultant and Perl Programmer
Free UNIX advocate - "I hack, therefore I am."