Re: Too Paranoid?

["Paul D. Robertson" <proberts () patriot net>]

On Sun, 29 Sep 2002, Jim Seymour wrote:

> Hi,

Hi Jim,

> it.  Proprietary server software runs on this server and proprietary
> software to talk to the server runs on one-or-more MS-Win desktops.
> They use ActiveX controls.  The server, in turn, must communicate

What protocols does the desktop<-> server stuff need?  It seems to me that 
the best bet would be to put the 2k server outside the firewall on a 
service network and allow the clients to go out and access it, but this 
assumes some level of control over the client<->server protocol (if it's 
just TCP-based one-off stuff, I think you're still better off, if it needs 
NetBIOS or RPC, then it's probably just going to suck no matter what.)

> Here's the problem.  Certain third-party modules the server software
> uses to communicate to other servers on the 'net don't seem to be
> able to deal with the proxy server on the firewall.  They're given
> the IP address and port number, but they won't work that way.  The
> vendor of this lash-up wanted me to punch a hole through the
> firewall for port 443.

Even if they tunneled well, I'd still want the thing cordoned off from my 
internal network and forced to talk nicely with the specific desktop 
clients.  

I've had this fight with personnel/benifits systems before, and once we 
got to the "it needs these two TCP ports" place, isolating it wasn't all 
that difficult.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards