[fw-wiz] EDI (AS2) Configuration

Date: 10/26/05

  • Next message: Alan Holmes: "RE: [fw-wiz] Pix 501 & 506 PixOS 7.0 compatability"
    To: firewall-wizards@honor.icsalabs.com
    Date: Wed, 26 Oct 2005 15:44:24 -0500

    We're researching several different EDI systems and are currently gathering
    infrastructure information from the vendors. One area of concern that has
    come up is the component placement within the various firewall security
    zones (Internal/External/DMZ). Some vendors have an AS2 "listener" within
    the DMZ that receives AS2 communications from the trading partners,
    validates the data, and forwards it on to the application servers within the
    internal network. Other vendors recommend allowing the trading partners to
    communicate directly with the application servers on the internal network.
    They claim that there is enough security in the application to prevent abuse
    of the server/network.

    I see three possible configurations -

    1) Systems with AS2 communications via a "listener" in the DMZ
    2) Systems with AS2 communications via a reverse http proxy in the DMZ
    3) Systems with AS2 communications directly to internal servers

    I suppose I prefer them in the above order. Several vendors are pretty
    insistent that #3 is "good enough" because of their "excellent software" -
    I'm inclined to compromise with #2 instead.

    I'd appreciate any info anyone can offer on implementing this type of app
    (AS2-based EDI). Do I have these configurations ranked appropriately (from
    a network security perspective)? Are there configurations I'm not
    considering? Is it fair to say that configuration #3 is a "worst-case"
    scenario (from a network security perspective)?

    Any constructive comments are welcomed and appreciated!

    - Paul
    firewall-wizards mailing list

  • Next message: Alan Holmes: "RE: [fw-wiz] Pix 501 & 506 PixOS 7.0 compatability"