Firewall Wizards mailing list archives

Any Holes?


From: "Giesinger, Nick HE0" <ngiesing () health gov sk ca>
Date: Thu, 18 Sep 1997 13:40:26 -0600

We have a security requirement to allow third parties to access data.
The firewall that we originally obtained was act as a proxy server.  It
is now being asked to perform this connection.

The firewall has three network cards, Internal, external and dmz.
Access will not be allowed from external to internal directly.  The
firewall has a bank of IP assigned to the external card when a specific
ip (ie: 100.1.1.1) accessed at a specific port (ie: 4000) the external
card maps to a different ip ie:(10.2.2.2) and port (ie: 4100) to the
dmz.  On the dmz, the web server will require a logon and password.  It
also requires a x.509 certificate.  The certificate authority resides in
the dmz as well.  Once a connect has been established the webserver,
through asp pages, proxies to the firewall at a different ip (ie:
10.2.2.254) and port (ie: 5000) to which the firewall maps to yet
another ip (ie: 10.10.2.2) and port (ie: 5001) which is the internal
network.  The internal database server verifies the poxied request
spawned by the dmz web server and depending on the proxy acc't access
rights grants the varring database access.  The connection between the
dmz web server and internal database is through the database propriety
encryption/connection supplied with the db which runs only over ip.

The web server is IIS3.0, the CA is WebCA 1.01, both using NT 4.0 and
various patches/hot fixes.  The firewall is Borderware 4.1 with patches.
The database is MS SQL 6.5

NT 4.0 has no generic acc'ts (except the proxy accounts but these reside
on the internal system not the dmz) and no anonymous logins. No routing
between nic's. The web pages reside on a different physical drive then
OS.  Permissions are only granted to the web drive. Administror has
access to all.  The files system is NTFS.  IIS3.0 allows clear text
login, with x.509 this should be sufficient.  ASP pages are the main
source of request/retrieveals.

We do not have total control over the client computer, but it does
require a x.509 certificate and user name login.

What have I forgotten? 

Nick G.



Current thread: