Firewall Wizards mailing list archives
Any Holes?
From: "Giesinger, Nick HE0" <ngiesing () health gov sk ca>
Date: Thu, 18 Sep 1997 13:40:26 -0600
We have a security requirement to allow third parties to access data. The firewall that we originally obtained was act as a proxy server. It is now being asked to perform this connection. The firewall has three network cards, Internal, external and dmz. Access will not be allowed from external to internal directly. The firewall has a bank of IP assigned to the external card when a specific ip (ie: 100.1.1.1) accessed at a specific port (ie: 4000) the external card maps to a different ip ie:(10.2.2.2) and port (ie: 4100) to the dmz. On the dmz, the web server will require a logon and password. It also requires a x.509 certificate. The certificate authority resides in the dmz as well. Once a connect has been established the webserver, through asp pages, proxies to the firewall at a different ip (ie: 10.2.2.254) and port (ie: 5000) to which the firewall maps to yet another ip (ie: 10.10.2.2) and port (ie: 5001) which is the internal network. The internal database server verifies the poxied request spawned by the dmz web server and depending on the proxy acc't access rights grants the varring database access. The connection between the dmz web server and internal database is through the database propriety encryption/connection supplied with the db which runs only over ip. The web server is IIS3.0, the CA is WebCA 1.01, both using NT 4.0 and various patches/hot fixes. The firewall is Borderware 4.1 with patches. The database is MS SQL 6.5 NT 4.0 has no generic acc'ts (except the proxy accounts but these reside on the internal system not the dmz) and no anonymous logins. No routing between nic's. The web pages reside on a different physical drive then OS. Permissions are only granted to the web drive. Administror has access to all. The files system is NTFS. IIS3.0 allows clear text login, with x.509 this should be sufficient. ASP pages are the main source of request/retrieveals. We do not have total control over the client computer, but it does require a x.509 certificate and user name login. What have I forgotten? Nick G.
Current thread:
- Any Holes? Giesinger, Nick HE0 (Sep 18)
- <Possible follow-ups>
- RE: Any Holes? Safier, Adam (GEIS) (Sep 19)