Great Circle Associates Firewalls
(October 1996)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: Reuters 3000 & Firewall-1
From: Ken Kempster <kempster @ monarch . rnb . com>
Date: Thu, 31 Oct 1996 12:40:25 -0500 (EST)
To: Bruno Raoult <br @ ota . societe-generale . fr>
Cc: firewall digest <firewalls-digest @ GreatCircle . COM>
Comments: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Comments: Internet Message: Sender identity is not verified.
Comments: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In-reply-to: <Pine . LNX . 3 . 91 . 961031181538 . 27017A-100000 @ styx1 . ota . societe-generale . fr>

On Thu, 31 Oct 1996, Bruno Raoult wrote:

> On Thu, 31 Oct 1996, Ken Kempster wrote:
> > On Thu, 31 Oct 1996, Bruno Raoult wrote:
> > 
> > > Hi,
> > > 
> > > Someone talked in this mailing list about the port problem between
> > > Reuters-3000 services and Firewall-1 services (#156 & 157).
> > > 
> > > Unhapilly I lost the report, and I'd like to ask some questions,
> > > as:
> > > 	- Is there a security problem with this configuration?
> > > 	- Reuters-3000 uses Full IP from customer site to Reuters
> > > 	  servers. Reuters does not want to give me details about
> > > 	  their internal security. Does someone knows something about it?
> > > 	- Reuters uses a Real-time Unix (QNX) as session server (=gateway).
> > > 	  Does someone knows about the security of this machine?
> > > 	- The QNX IP stack has been re-written for Reuters. Any
> > > 	  information?
> > > 	- Reuters needs the customer to use RIP protocol. I think it
> > > 	  may be quite dangerous, as Reuters may get information about
> > > 	  our real network
> > > 	- Reuters "RBR" service needs to share NT disks from Reuters
> > > 	  side to customer side. I think this implies the use of "considered
> > > 	  dangerous" services as 137/138/139. Is there a risk there?
> > 
> > What we have done here is put a PIX Firewall between the session server
> > and our internal network.   IP's on our internal network are remapped
> > to bogus ones on the session server side.
> 
> How do you manage UDP ports? Do you let them pass through your PIX?
> Do you trust Reuters translated addresses?

All communication is initated one way. from the reuters side
they are not able to initiate a connection;  the WS's on our internal
network make the initial connection to the reuters 
session server.  IE:   I can ping there IP's but they can't ping anything
past the PIX.



> 
> > Question for you?   Are you running internal DNS?  If so,  did you have
> > problems configuring it to forward requests for session.rservices.com
> > to the session server?   What was your solution?
> 
> Yes, we have. But it is not yet configured. I suppose it should work *IF*
> reuters DNS proxy has a "normal" way to run (it should be a simple
> domain/network delegation). Which are your problems?

I ran into problems with the version of DNS that we're running.
I have three internal DNS servers; one primary and two secondary all
of which are running the out-of-the-box DNS that comes with
Solaris 2.3 and 2.5.    I was not able to get it to forward requests
for session.rservices.com to their session server even though
I had all the config correct.

What I ended up doing was configuring our internet firewall to
be authoritative for the session.rservices.com domain.

Our DNS setup is such that all requests that our internal
servers can't resolve are forwarded to our internet firewall.
This allows end-users to resolve all internal and internet addresses.

The firewall is running Bind 4.9.3 which I was able to get 
to forward to their session server.

So any requests for host.session.rservices.com get sent from
our internal DNS servers to our internet firewall and the firewall
points back to the session server on our internal network.


> 
> 
>                  \|||/
>                  (. .)
> +-------------ooO-(_)-Ooo------------------------------------------------+
> | Bruno RAOULT - Chess, tonight?                                         |
> |                                                                        |
> |  Tel.   (33-1) 42.13.45.19         Fax:    (33-1) 42.13.69.66          |
> |  Kobby. (33-1) 51.01.20.71         e-mail: br @
 ota .
 societe-generale .
 fr  |
> +------------------------------------------------------------------------+
>                  || ||
>                 ooO Ooo
> 
> 

----------------------------
Ken Kempster
Republic National Bank
kempster @
 monarch .
 rnb .
 com
----------------------------



References:
Indexed By Date Previous: Re: Reuters 3000 & Firewall-1
From: Bruno Raoult <br @ ota . societe-generale . fr>
Next: Re: TIS - Fwtk instalation in BSDI
From: Ken Kempster <kempster @ monarch . rnb . com>
Indexed By Thread Previous: Re: Reuters 3000 & Firewall-1
From: Bruno Raoult <br @ ota . societe-generale . fr>
Next: Re: Reuters 3000 & Firewall-1
From: Christian ALT <calt @ tla . ch>

Google
 
Search Internet Search www.greatcircle.com