A good example of a NAT device would be the Linksys Cable/DSL router. This device is perfect for a small office that needs connection to the Internet and provides hardware firewall protection by limiting the IP addresses and ports that are forwarded on to backend servers. It has multiple hardware ports to build a nice sized network with. I personally own this and highly recommend this product. And no, I don't get kickbacks from them! :-)
Also, the debate of how to properly configure your network from a security perspective can have religious overtones! ;-) There is more to security than add two parts firewall, one part proxy, 3 parts SSL, one part virus-scanner, mix well... Cheers, Rob -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, January 14, 2002 9:35 AM To: [EMAIL PROTECTED] Subject: RE: Why DNS/IP in certificate? Personally I would have a second server outside the NAT device that proxies requests in and out of the server behind the firewall. There seems to me little point in having a firewall if you allow public access straight through it! In that case you can secure the connection between the outside machine and the client machine without worrying about the firewall. - John Airey Internet systems support officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Agnostic (Greek) = Ignoramus (Latin) >-----Original Message----- >From: Stanley Hopcroft [mailto:[EMAIL PROTECTED]] >Sent: 14 January 2002 09:36 >To: [EMAIL PROTECTED] >Subject: Re: Why DNS/IP in certificate? > > >Deear Ladies and Gentlemen, > >I am writing to thank you for your comments about this matter and ask > >On Thu, Jan 10, 2002 at 09:34:50AM -0500, Neff Robert A wrote: >> >> The client needs to verify who it is connected to. >> Anyone in the world can present a certificate to >> establish an ssl connection. In a nutshell, the >> checks that need to be made on the client end are: >> a. Do you trust the signer of the certificate received >> b. Is the CN contained within the cert what you expect >> > >..snip.. > >> Your next task is to ensure that the >> trusted cert truly came from the site you expected and >> not www.someothersite.com. The browser does this step by >> comparing the CN contained in the cert to the URL address >> typed into your browser. Your own app must do so as well... >> > >is it possible to have an OpenSSL server located behind a >Network Adress >Transalation device (a NET device is sometimes part of firewalls, eg >the Cisco PIX) and still have the client handshake complete without >error ? > >Here is the scenario. > >Server has valid certificate signed by root CA for Distinguished Name >'S'. > >DNS responds to an A record request from the client for S, with the >public interface of the NAT device (PTR query for that address also >returns S), but the OpenSSL server with that cert has a completely >different address (because its been translated) > >One might do this because of outsourcing or merger activities that >result in a new or different firewall. > >Presumably the network between the NAT box and the OpenSSL server is >secure enough to be tolerablee. > >So :- > >1 Will the scenario above work ? >2 If not, how can it be made to work ? > >Thank you, > >Yours sincerely. > >-- >--------------------------------------------------------------- >--------- >Stanley Hopcroft Network >Specialist >--------------------------------------------------------------- >--------- > >'...No man is an island, entire of itself; every man is a piece of the >continent, a part of the main. If a clod be washed away by the sea, >Europe is the less, as well as if a promontory were, as well as if a >manor of thy friend's or of thine own were. Any man's death diminishes >me, because I am involved in mankind; and therefore never send to know >for whom the bell tolls; it tolls for thee...' > >from Meditation 17, J Donne. >______________________________________________________________________ >OpenSSL Project http://www.openssl.org >User Support Mailing List [EMAIL PROTECTED] >Automated List Manager [EMAIL PROTECTED] > - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] ***************************************************************** DISCLAIMER: The information contained in this e-mail may be confidential and is intended solely for the use of the named addressee. Access, copying or re-use of the e-mail or any information contained therein by any other person is not authorized. If you are not the intended recipient please notify us immediately by returning the e-mail to the originator. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
