RE: [fw-wiz] EDI (AS2) Configuration

From: Paul Melson (
Date: 11/01/05

  • Next message: Daniel Linder: "Re: [fw-wiz] PIX Dual line Internet HDSL and ADSL"
    To: <>, <>
    Date: Tue, 1 Nov 2005 09:35:51 -0500

    -----Original Message-----
    Subject: [fw-wiz] EDI (AS2) Configuration

    > They claim that there is enough security in the application to prevent
    abuse of the
    > server/network.

    What an arrogant way to try and dismiss the fact that their product lacks
    the flexibility to be deployed across a firewall DMZ. You're wise to beware
    of these jokers.

    > I'd appreciate any info anyone can offer on implementing this type of app
    (AS2-based EDI).
    > Do I have these configurations ranked appropriately (from a network
    security perspective)?
    > Are there configurations I'm not considering? Is it fair to say that
    configuration #3 is a > "worst-case" scenario (from a network security

    Depending on the specific of the products and how granular the controls of
    your reverse proxy are (and how fastidious you are about configuring them),
    that may actually be the more secure way to deploy. But maybe that's just
    me not wanting to trust vendors. :)

    If done properly, AS2 shouldn't be that big of a security headache to
    deploy. Use your firewall to control and log access to the AS2 service from
    only addresses given by business partners for the purpose of EDI. Enforce
    the use of S/MIME signing and encrypting of EDI messages and signing of
    MDN's and turn on audit logging in the EDI application. That should get you
    to a reasonable level of exposure with appropriate accountability. Anything
    extra you do - like using a reverse proxy to restrict HTTP requests only to
    the secure-enough AS2 application running on the vendor's secure-enough web
    server - is to get yourself in line with your own risk analysis.


    firewall-wizards mailing list

  • Next message: Daniel Linder: "Re: [fw-wiz] PIX Dual line Internet HDSL and ADSL"