RE: Prividing Intranet Website Access To External Users

From: Javier Otero De Alba (jotero_at_smartekh.com)
Date: 02/10/05

  • Next message: Alex Yan: "Re: Hidden windows ports, files and services." 
    Date: Thu, 10 Feb 2005 09:55:39 -0600
To: "Brandon Kovacs" <liljoker771@gmail.com>

    If you use VPN IPSec you get access to ALL lan, after you need start to close access, the one that remanis open is the problem, does you remember Murphy?.

    All requirments are done by Secure Access.

    Can by installed in DMZ, double firewall, internaly and others.

    And yes, you can use a linux box, with a free software, in a very cheap machine (old pentium), expend some months, no documtation, low invesment, high TOC, lost bussines oportunity.

    Ing. Fco. Javier Otero De Alba
    Diplomado en Seguridad Informática ITESM CEM
    ITStrap
    Product Manager
    Juniper Secure Access SSL

    5243-4782 al 84 Ext.300
    México, D.F.

    -----Mensaje original-----
    De: Brandon Kovacs [mailto:liljoker771@gmail.com]
    Enviado el: Miércoles, 09 de Febrero de 2005 12:28 p.m.
    Para: Javier Otero De Alba
    CC: rusty chiles; security-basics@securityfocus.com
    Asunto: Re: Prividing Intranet Website Access To External Users

    Or you could tunnel it with VPN

    On Mon, 7 Feb 2005 11:38:37 -0600, Javier Otero De Alba
    <jotero@smartekh.com> wrote:
    > If you want do this in cuple of days use Juniper Secure Access SSL, does all you want and implemets very fast.
    > Visit www.juniper.net
    >
    > Ing. Fco. Javier Otero De Alba
    > Diplomado en Seguridad Informática ITESM CEM
    > ITStrap
    > Product Manager
    > 5243-4782 al 84 Ext.300
    > México, D.F.
    >
    > -----Mensaje original-----
    > De: rusty chiles [mailto:rustychiles@gmail.com]
    > Enviado el: Viernes, 04 de Febrero de 2005 06:17 p.m.
    > Para: security-basics@securityfocus.com
    > Asunto: Prividing Intranet Website Access To External Users
    >
    > Greetings,
    >
    > I'm asking for reccomendations with the following Scenario:
    >
    > We have a internal intranet site. Users are authenticated using their
    > nt credentials.
    >
    > We need to provide the site externally, translate the internal links
    > to external links, and still pass their NT credentials to the website.
    >
    > MGMT wants to do this without vpn, or any other 3rd party software on
    > the clients computer.
    >
    > The goal here is a single user sign on, so that the end user is
    > presented with the same experience at home as they are at work.
    >
    > We WILL use SSL to protect the transportation of the userid and password.
    >
    > The web server is IIS on windows2003.
    >
    > The web server will be in the DMZ, and only port 443 will be allowed
    > from the outside world.
    >
    > The problem is that webserver in the dmz will need to have the ability
    > to talk to the domain controller, as well as a sql server.
    >
    > I prefer my resources be separated, and never have internal servers
    > traverse the dmz, but in this case that is not possible due to a
    > dependency on the website having tight integration with Active
    > directory resources.
    >
    > We could put a sql box in the dmz, but a domain controller....... I
    > don't feel comfortable doing that. One box in the dmz is compromised,
    > then the DC is open to direct attack.
    >
    > If the box talks from the dmz to the internal Domain controller, we
    > can acl the traffic so that it only talks over limited port numbers;
    > however there is still some risk involved. (which we may have to
    > accept)
    >
    > What experience have members of this list had with publishing their
    > intranets to the internet in a secure manner.
    >
    > What has worked reliably, and still provided solid security.
    >
    > I've considered a SSL VPN type portal, ISA Server, and the like as
    > well as several forwarding proxies, but am not 100% comfortable with
    > any of the solutions I have seen thus far.
    >
    > Any reccomendations List members can make will be helpful to us.
    > 

    -- 
-Brandon
  • Next message: Alex Yan: "Re: Hidden windows ports, files and services."
    Loading