Re: [fw-wiz] segmentation of DMZs

From: Miles Sabin (miles@milessabin.com)
Date: 11/15/02 

From: Miles Sabin <miles@milessabin.com>
To: firewall-wizards@honor.icsalabs.com
Date: Fri Nov 15 08:00:03 2002

Shimon Silberschlag wrote,
> Now, some folks here offer to further segment the infrastructure by
> having separate physical segments for presentation servers (WWW) that
> provide authenticated services (and hence have as audience a small
> subset of the internet crowd but do provide much more sensitive
> information) and those that are not authenticated (thus can serve the
> entire internet population).

I'd like to know some more details about this approach.

In this kind of scenario, is the pre-authenticated part of the
authentication dialog considered as part of the public service, or as
part of the private service? ... ie. do clients login on the public
server or on the private server?

If it's part of the part of the public service, what would be the
recommended mechanism for handing-off post-authentication to the
private service? Also if it's part of the public service, presumably we
still have some sensitive information present on the public server (eg.
password hashes and whatever's needed to create an authentication token
for the private service)?

Alternatively, if it's part of the private service, then presumably the
private service has to at least offer unauthenticated access to the
authentication dialog. Granted the scope of unauthenticated access is
dramatically reduced, but wouldn't this replicate (part of) the problem
we're trying to solve?

Cheers,

Miles

Loading