Firewall Wizards mailing list archives

Re: IP/HTTP from the internet to internal network

From: "Paul D. Robertson" <proberts () patriot net>
Date: Mon, 2 Dec 2002 08:20:52 -0500 (EST)

On Mon, 2 Dec 2002, Shimon Silberschlag wrote:

When forced by business requirements to _consider_ allowing traffic
from the internet, through some application server, to a server on the
internal network that holds info for the application, what would be
your reaction/design/tools to secure this traffic?


0.  Control of the remote machine's configuration and integrity.
1.  Extrememly strong authentication.
2.  A good encrypted transport.
3.  Firewalls between those systems and the rest of the network.
4.  An extra FTE to monitor things.
5.  A raise.
6.  A review of the business's insurance.
7.  A written document absolving me of responsibility for the eventual 
failure.
8.  A direct process into "no longer authorized to access this system" be 
it employee/former-employee data or customer data.
9.  Integrity checking all through the chain.
A.  Data (rather than host) integrity assigned to someone who can 
responsibly handle the task given a compromised endpoint.
B.  A working disaster recovery plan that covers compromise of each 
important piece in the chain.
C.  Complete veto authority over the next seven requests that mirror this, 
but require other important bits of infrastructure to be exposed.
D.  Control of people scope-creeping other "neat" Internet-based 
applications which will eventually make their way onto the machine.
E.  Better logging on everything, with better log servers.
F.  A six month time extension to test the theory that it can be done 
"well enough" *before* the decision to actually do it is made.
10.  The option to pull the site off the 'Net immediately should the 
threat level against any component of the architecture be high enough to 
warrant it.  In writing.  

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

RE: Outlook Web Access - Paranoid? Matt Wilbur (Nov 30)
- Re: Outlook Web Access - Paranoid? Devdas Bhagat (Dec 01)
  - Re: Outlook Web Access - Paranoid? Mikael Olsson (Dec 01)
    - IP/HTTP from the internet to internal network Shimon Silberschlag (Dec 02)
    - Re: IP/HTTP from the internet to internal network Paul D. Robertson (Dec 02)
    - Message not available
    - Re: IP/HTTP from the internet to internal network Dave Piscitello (Dec 04)
    - Re: Outlook Web Access - Paranoid? Luca Berra (Dec 02)
- Re: Outlook Web Access - Paranoid? Patrick M. Hausen (Dec 02)
- <Possible follow-ups>
- RE: Outlook Web Access - Paranoid? Stefan Norberg (Dec 03)
- RE: Outlook Web Access - Paranoid? Joseph Steinberg (Dec 05)