Security Basics mailing list archives

Re: Allow second Internet connection into Office Space?

From: James Taylor <james_n_taylor () yahoo com>
Date: Sun, 13 Oct 2002 17:59:49 -0700 (PDT)


--- Alexandros Papadopoulos <apapadop () cmu edu> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wednesday 09 October 2002 11:31, Chris Hylen wrote:

Security Pro's:

    A group of my programmers want to have a DSL

connection put in their

testing area so they can simulate end user experience

across the Internet.

I have concerns with this and am curious if anyone else

has found a good

solution to provision their business requirement

without putting the

network at risk.

    I know I haven't gone in to enough detail for an EXACT

solution but

in general if anyone has any "tips" I'd appreciate it.

Thanks!


It is debatable whether a DSL line (what speed?) will be
able to simulate 'user experience' without baselineing the
application before testing. Normally the Internet
connection is the slowest link in the chain, but testing
won't necessarily highlight problems in the application. 

I would make sure that they have load and performance
tested the separate systems components (Web, App, DB,
Network) before testing from an Internet/Remote users
perspective. It is too easy to say 'Oh it's the
internet/remote link, when it may be something else within
the system e.g. bad application or database design. 

Programmers (Gawd bless 'em) are not known for finding
faults in their own code. It may be better to use load
testing software for average/peak (as per spec) load and
performance response. This brings the point that, to test
the 'user experience' the testing must be performed on an
environment that directly simulates (even though it may be
a cut-down version) the production environment. The
development environment is not acceptable for this, but the
test environment is. 

The developers should not really be the team that tests in
the test environment, they should sign off and test their
separate components, package the application, and give to
the QA/release team to simulate in the test environment. 

This then should be a separate network, which does have a
separate DSL connection. Or, more likely, be located in the
Production location (which will be separated from the
Company network) and use the Production internet
connection, thereby getting a good understanding of the
maximum throughput when the system goes live.

Not being aware of the project size or duration, some of my
comments may not be applicable, but I would find it hard to
justify a special DSL connection into your development
network, and it's additional management/administrative
overhead/cost, when there is testing software than can
simulate an internet connection.

If they force the issue (project/time constraints), then
you must install a firewall and ensure that it only allows
connections IN and OUT FROM specific IP's and ports of the
testing machines, harden the box, install an IDS. I would
also suggest putting the development network on its own VPN
and allow only permitted traffic between development and
company networks. If the network is to be separated, but
needs a connection to the company network, then use
SSH/SFTP to connect the two. But make sure the tests really
do prove 'user experience'.

Regards
James


Well, you're probably looking at one dedicated box that
does NAT/firewalling 
and sits between the DSL and the rest of your network.
All other boxes rely 
on this one box to secure them, so there's no pressing
need for 
reconfiguration of the internal network.

If you want to be 100% safe of course, you would
disconnect the clients not 
needing internet access and physically connect only a few
boxes to the one 
with the DSL line, thus putting a limited part of your
network "at risk". See 
how that goes, and then you can make the big step and
allow (regulated) 
internet traffic to flow through your entire network.

- -A 
- -- 
http://www.andrew.cmu.edu/~apapadop/pub_key.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)

iD8DBQE9pkr5gmAMwQt1gmURAtbqAJ9UVUAuMPLa8Pa6q7DnXOzm9epQbgCeN79F

Y94jHKCEkTMz6S4eAjheiug=
=LXa6
-----END PGP SIGNATURE-----



__________________________________________________
Do you Yahoo!?
Faith Hill - Exclusive Performances, Videos & More
http://faith.yahoo.com

Current thread:

Re: Allow second Internet connection into Office Space? Jason Kohles (Oct 15)
- RE: Allow second Internet connection into Office Space? Keenan Smith (Oct 17)
- <Possible follow-ups>
- Re: Allow second Internet connection into Office Space? matthew (Oct 15)
- Re: Allow second Internet connection into Office Space? James Taylor (Oct 15)
- RE: Allow second Internet connection into Office Space? Louis Erickson (Oct 15)
- Re: Allow second Internet connection into Office Space? Ethan King (Oct 15)
- RE: Allow second Internet connection into Office Space? Robert Sieber (Oct 15)
- RE: Allow second Internet connection into Office Space? Kline, Nathan C - CIEP-2 (Oct 16)
- RE: Allow second Internet connection into Office Space? Chris Santerre (Oct 16)
- RE: Allow second Internet connection into Office Space? Chris Santerre (Oct 17)
- RE: Allow second Internet connection into Office Space? Rapaille Max (Oct 18)
- RE: Allow second Internet connection into Office Space? Rapaille Max (Oct 18)
- RE: Allow second Internet connection into Office Space? Chris Santerre (Oct 18)