Re: [fw-wiz] Access to internal resources

From: Paul D. Robertson (paul_at_compuwar.net)
Date: 06/22/04

  • Next message: Paul D. Robertson: "Re: [fw-wiz] Web server security?" 
    To: Nathan Casey <ncasey@sonoma-county.org>
Date: Tue, 22 Jun 2004 11:17:34 -0400 (EDT)

    On Tue, 22 Jun 2004, Nathan Casey wrote:

    > We have SQL data which can currently be viewed on our internal Intranet
    > by select employees. Access to the SQL data site is controlled by NTFS
    > permissions. Now, we are required to make the same SQL data available
    > over the internet to the same group of people that have internal access.
    > Our external web server is in a PIX DMZ separate from our internal
    > network. Would it be possible to use MS ISA server to act as a reverse
    > proxy to allow external users access SQL data in a browser over the
    > public internet?

    For read-only access, it's likely "better" to clone the data and let them
    access the data on a DMZ/Extranet machine with suitable authentication
    (VPNs with auth work well.)

    This gives several advantages- Internet users can't ever change the "real"
    data, no matter what bugs are in the application, revocation issues aside,
    it's difficult to deal with a compromise in a hotel or someone's house.
    You get a 'backup database" should you have a hardware failure, which can
    be a real lifesaver, and you can further lock down the writable database
    system, and point internal users at the read-only copy too, and have real
    separation.

    I'd be wary of allowing external systems to use internal credentials to
    access an internal production server, the failure modes are pretty bad,
    but only you can make a real risk assessment on the value proposition.

    Paul
    -----------------------------------------------------------------------------
    Paul D. Robertson "My statements in this message are personal opinions
    paul@compuwar.net which may have no basis whatsoever in fact."
    probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Paul D. Robertson: "Re: [fw-wiz] Web server security?"

    Relevant Pages

    • Re: Access to internal resources
      ... You can use the ISA Server - Server Publishing feature. ... Access to the SQL data site is controlled by NTFS ... > external users access SQL data in a browser over the public internet? ...
      (microsoft.public.isa)
    • [fw-wiz] Access to internal resources
      ... We have SQL data which can currently be viewed on our internal Intranet by select employees. ... Would it be possible to use MS ISA server to act as a reverse proxy to allow external users access SQL data in a browser over the public internet? ...
      (Firewall-Wizards)
    • Access to internal resources
      ... Access to the SQL data site is controlled by NTFS ... we are required to make the same SQL data available over the internet ... Would it be possible to use MS ISA server to act as a reverse proxy to allow ... PIX FIREWALL ...
      (microsoft.public.isa)
    • Re: Access to internal resources
      ... The current intranet sight is just a web page that allows users to search ... able to access the internet site and the SQL data. ... Would the web server in the PIX DMZ point to the ISA server as the ...
      (microsoft.public.isa)
    • Access to internal resources
      ... Access to the SQL data site is controlled by NTFS ... we are required to make the same SQL data available over the internet ... Our external web server is in a PIX DMZ separate from our internal network. ... PIX FIREWALL ...
      (microsoft.public.isa.publishing)