firewall dillema

[James Lee Bell]

Newbies babbling at newbies... it's a scary thing. ;-)  At any rate, I
missed a huge chunk between non-security minded users having more pull
and the options. What are the lusers wanting exactly?  What OS are you
running on the DMZ machines, and what kind of access are they wanting to
them?  It seems like they're wanting to be able to map drives to these
machines (maybe just the web machine)?? For what purpose? And (this is
my boss' favorite) what is the *compelling business reason* for
endangering company resources, equipment and information?

If I'm guessing correctly here, what about option 3 (teaching them how
to use CuteFTP or similar), or option 4 (the scariest if you're not
careful, put whatever machine they "need" access to inside the firewall,
give it's public IP to the firewall's public nic (think multihome), and
tell the firewall to forward traffic on that IP of the correct protocol
(i.e. port number) to the now internal machine).

Joel Dudley wrote:
> the other side of the firewall lies the DMZ where web, mail, DNS, etc
> servers lay.  And of course the have public routable class C IP's.  Now,
> they cranky and not so security minded users who have more pull than the
> poor network admin
> 
> anyway I have two options (I think).  Put a public NIC in each of the DMZ
> machines.  My only fear is that someone gets in and hacks the routing tables
> and viola!  welcome to my network.   I can also allow nbsession (137/9)
> through the firewall.  Allowing only the local workstations to map drives in
> the DMZ.  I would lose NT domain architecture but who cares.   I am just
> stumped on how to achieve the latter solution.  Anyone have experience in
> this?  A sample script perhaps?  Thanks in advance and I hope this is my
> last firewall post.