Firewall Wizards mailing list archives
Re: IP/HTTP from the internet to internal network
From: "Paul D. Robertson" <proberts () patriot net>
Date: Mon, 2 Dec 2002 08:20:52 -0500 (EST)
On Mon, 2 Dec 2002, Shimon Silberschlag wrote:
When forced by business requirements to _consider_ allowing traffic from the internet, through some application server, to a server on the internal network that holds info for the application, what would be your reaction/design/tools to secure this traffic?
0. Control of the remote machine's configuration and integrity. 1. Extrememly strong authentication. 2. A good encrypted transport. 3. Firewalls between those systems and the rest of the network. 4. An extra FTE to monitor things. 5. A raise. 6. A review of the business's insurance. 7. A written document absolving me of responsibility for the eventual failure. 8. A direct process into "no longer authorized to access this system" be it employee/former-employee data or customer data. 9. Integrity checking all through the chain. A. Data (rather than host) integrity assigned to someone who can responsibly handle the task given a compromised endpoint. B. A working disaster recovery plan that covers compromise of each important piece in the chain. C. Complete veto authority over the next seven requests that mirror this, but require other important bits of infrastructure to be exposed. D. Control of people scope-creeping other "neat" Internet-based applications which will eventually make their way onto the machine. E. Better logging on everything, with better log servers. F. A six month time extension to test the theory that it can be done "well enough" *before* the decision to actually do it is made. 10. The option to pull the site off the 'Net immediately should the threat level against any component of the architecture be high enough to warrant it. In writing. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Outlook Web Access - Paranoid? Matt Wilbur (Nov 30)
- Re: Outlook Web Access - Paranoid? Devdas Bhagat (Dec 01)
- Re: Outlook Web Access - Paranoid? Mikael Olsson (Dec 01)
- IP/HTTP from the internet to internal network Shimon Silberschlag (Dec 02)
- Re: IP/HTTP from the internet to internal network Paul D. Robertson (Dec 02)
- Message not available
- Re: IP/HTTP from the internet to internal network Dave Piscitello (Dec 04)
- Re: Outlook Web Access - Paranoid? Mikael Olsson (Dec 01)
- Re: Outlook Web Access - Paranoid? Luca Berra (Dec 02)
- Re: Outlook Web Access - Paranoid? Devdas Bhagat (Dec 01)
- <Possible follow-ups>
- RE: Outlook Web Access - Paranoid? Stefan Norberg (Dec 03)
- RE: Outlook Web Access - Paranoid? Joseph Steinberg (Dec 05)