RE: [fw-wiz] Sources for Extranet Designs?
From: Baumann, Sean C. (Sean.Baumann_at_celera.com)
Date: 02/23/04
- Previous message: Frederick M Avolio: "RE: [fw-wiz] Sources for Extranet Designs?"
- Maybe in reply to: Baumann, Sean C.: "[fw-wiz] Sources for Extranet Designs?"
- Next in thread: Wes Noonan: "RE: [fw-wiz] Sources for Extranet Designs?"
- Reply: Wes Noonan: "RE: [fw-wiz] Sources for Extranet Designs?"
- Reply: Daniel Linder: "RE: [fw-wiz] Sources for Extranet Designs?"
- Reply: George Capehart: "Re: [fw-wiz] Sources for Extranet Designs?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Wes Noonan" <mailinglists@wjnconsulting.com>, "R. DuFresne" <dufresne@sysinfo.com> Date: Mon, 23 Feb 2004 14:16:34 -0500
> From: Wes Noonan [mailto:mailinglists@wjnconsulting.com]
>
> Never grant access to your production network or resources
>
Wow, you read my mind. Great guess. The crux of my current issue is
with allowing extranet partners access resources on my internal network.
The problem is that we utilize "large" and expensive servers (think
mainframe like) for most of our internal services. Those services would
include your normal things like nfs, DBs, web servers, and custom
applications (things that are not necessarily web based). I don't see
us offering extranet partners NFS, but there have been requests to allow
direct access to DBs and some non-web-based applications. How would you
handle granting access to these? Web based, or java stuff, is no big
deal. We generally front-end all of those connections using a web
server in a DMZ, which is limited access to services residing on the
"internal" network. However, what can you do for DBs and non-web-based
apps. I've kicked around the idea of SOCKS, but I don't think a partner
would like the idea of us requiring a SOCKS client.
Here is a little background. We already have an extranet
infrastructure, which is limited to branch-to-branch IPSEC VPNs. We, of
course, firewall all traffic coming in to, or going out of, our "secure"
extranet network. Connections are allowed to a group of web servers,
which are front-ending some web apps.
So I guess my specific questions are:
1.) If you say you should never allow access to resources on your
protected or internal network, how do you handle giving access to
services that reside on machines that cannot be duplicated (i.e.
expensive mainframes)?
2.) Do most companies require routable address on their extranet?
Currently we use RFC1918 address for our extranet, but we see that this
will become a problem in the future as we add partners.
Thanks,
Sean
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Frederick M Avolio: "RE: [fw-wiz] Sources for Extranet Designs?"
- Maybe in reply to: Baumann, Sean C.: "[fw-wiz] Sources for Extranet Designs?"
- Next in thread: Wes Noonan: "RE: [fw-wiz] Sources for Extranet Designs?"
- Reply: Wes Noonan: "RE: [fw-wiz] Sources for Extranet Designs?"
- Reply: Daniel Linder: "RE: [fw-wiz] Sources for Extranet Designs?"
- Reply: George Capehart: "Re: [fw-wiz] Sources for Extranet Designs?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
