RE: [fw-wiz] Sources for Extranet Designs?

From: Wes Noonan (
Date: 02/23/04

  • Next message: Paul Robertson: "RE: [fw-wiz] Sources for Extranet Designs?"
    To: "'Baumann, Sean C.'" <>, "'R. DuFresne'" <>
    Date: Mon, 23 Feb 2004 14:47:10 -0600

    > I totally agree with what you are saying. Of course, we would be taking
    > (and already do) the minimalist approach. In other words, we only allow
    > very specific things into our network (extranet or internal, doesn't
    > matter). However, allowing these connections does not preclude someone
    > from trying to abuse our servers/services. I guess I am not comfortable
    > with just [stateful] packet filtering or other non-application-aware
    > security gateways. Maybe I should look into some other type of IPS.

    IPS would be a no brainer for me in this scenario. One thing I don't want to
    do is give you the impression that packet filtering is the only way to go.
    Was it Marcus that said "Security is like onions, there are many layers"?
    That is a good way to approach it. Using CITRIX front ends are another
    option I would look at to determine if it is viable or not. I know of many
    folks who are doing this or using Citrix on WYSE terminals running XP
    embedded to do this kind of a thing. Gives them even more control.
    > Perhaps I need to investigate something that can perform the same
    > functions that our DMZ web servers perform. Perhaps something that can
    > act as a go-between or proxy, which we can be sufficiently locked-down.
    > Anybody know of anything that can do this, besides SOCKS (which would
    > only provide authentication, I suppose)? While you are giving your
    > partner 1521 access to a particular server, there could be many
    > databases located there. What if you just want them to have access to
    > one? I guess you could design your DB architecture better, but that is
    > beyond this discussion :) The key would probably be the SID in my
    > situation, but that would require something that can look into the
    > application data (please no SEF/Raptor firewall references please :) ).

    Actually, I don't think it is beyond the scope of the discussion. In fact, I
    think that a lot of the problems that are created by these scenarios are the
    lack of someone to look at the problem and solution from top to bottom. The
    network guys work the network, the app guys work the app and no where do
    they work together. When you start to get into questions of "what about the
    other databases on that server" that is where I think the app guys have to
    step up and do the necessary hardening at that level, especially if you have
    a limitation of not being able to separate resources.

    > Yes, this is what we will most likely implement. NAT on our side,
    > hiding our real address scheme, using some routable addresses we already
    > own. However, do you usually require your customers to present you with
    > routable address from their side?

    I'm indifferent. Like David said it is easier to use routable addresses. If
    not, work some NAT magic. Doesn't matter too much to me.


    Wes Noonan
    Hardening Network Infrastructure - A concise how to guide
    Available Spring 2004
    Order at

    firewall-wizards mailing list

  • Next message: Paul Robertson: "RE: [fw-wiz] Sources for Extranet Designs?"

    Relevant Pages

    • Re: SharePoint Services
      ... IT does not support our Access app explicitly as the app is considered ... The app is a 'split' mde with only the BE sitting on the network ... server will work to speed up the app. ... As I stated moving the backend data to SQL server will usually slow it ...
    • Re: Invalid Seek Offset continued...
      ... Well shifting to MS SQL will be a very very big step. ... > As Aashish mentioned, network cards drivers may be causing this problem, I ... > also see this error a lot at one customer where the server RAID Controller ... >>> We are deploying a VFP8 app to several beta sites to replace an FPW ...
    • Re: .NET new executable
      ... Since there is no network access avaialble, I want to send my app to each ... then you update the data into database. ... I do not have access to a web server, that is why I want a Windows ...
    • Re: Using Native VFP Tables and Network Performance
      ... passing data and indexes across a network is not a good thing. ... client-server model, but it does require sufficient resources on the server ... Or you could use VFP in a distributed computing model ... The best results are found in a thin client app because ...
    • Re: Fully parallel Scheme-based language w/ evaluator
      ... Windows Server 2003 and networks in simple - and irreverent - terms. ... If networking really is a big deal, ... Concepts and Terminology in Part I, and The Design and Deployment of Network ...