Firewall Wizards mailing list archives

RE: Sources for Extranet Designs?

From: "Baumann, Sean C." <Sean.Baumann () celera com>
Date: Mon, 23 Feb 2004 14:16:34 -0500

From: Wes Noonan [mailto:mailinglists () wjnconsulting com] 

Never grant access to your production network or resources


Wow, you read my mind.  Great guess.  The crux of my current issue is
with allowing extranet partners access resources on my internal network.
The problem is that we utilize "large" and expensive servers (think
mainframe like) for most of our internal services.  Those services would
include your normal things like nfs, DBs, web servers, and custom
applications (things that are not necessarily web based).  I don't see
us offering extranet partners NFS, but there have been requests to allow
direct access to DBs and some non-web-based applications.  How would you
handle granting access to these?  Web based, or java stuff, is no big
deal.  We generally front-end all of those connections using a web
server in a DMZ, which is limited access to services residing on the
"internal" network.  However, what can you do for DBs and non-web-based
apps.  I've kicked around the idea of SOCKS, but I don't think a partner
would like the idea of us requiring a SOCKS client.

Here is a little background.  We already have an extranet
infrastructure, which is limited to branch-to-branch IPSEC VPNs.  We, of
course, firewall all traffic coming in to, or going out of, our "secure"
extranet network.  Connections are allowed to a group of web servers,
which are front-ending some web apps.

So I guess my specific questions are:

1.) If you say you should never allow access to resources on your
protected or internal network, how do you handle giving access to
services that reside on machines that cannot be duplicated (i.e.
expensive mainframes)?
2.) Do most companies require routable address on their extranet?
Currently we use RFC1918 address for our extranet, but we see that this
will become a problem in the future as we add partners.

Thanks,
Sean



_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Sources for Extranet Designs?, (continued)
- Re: Sources for Extranet Designs? Paul Robertson (Feb 22)
- RE: Sources for Extranet Designs? Baumann, Sean C. (Feb 23)
  - RE: Sources for Extranet Designs? Paul Robertson (Feb 23)
  - RE: Sources for Extranet Designs? R. DuFresne (Feb 23)
    - RE: Sources for Extranet Designs? Wes Noonan (Feb 23)
    - RE: Sources for Extranet Designs? Marcus J. Ranum (Feb 23)
- RE: Sources for Extranet Designs? Don Parker (Feb 23)
- RE: Sources for Extranet Designs? Behm, Jeffrey L. (Feb 23)
  - RE: Sources for Extranet Designs? Wes Noonan (Feb 23)
- RE: Sources for Extranet Designs? Frederick M Avolio (Feb 23)
- RE: Sources for Extranet Designs? Baumann, Sean C. (Feb 23)
  - RE: Sources for Extranet Designs? Wes Noonan (Feb 23)
    - RE: Sources for Extranet Designs? Bob Alberti (Feb 23)
    - RE: Sources for Extranet Designs? Wes Noonan (Feb 23)
  - RE: Sources for Extranet Designs? Daniel Linder (Feb 23)
    - RE: Sources for Extranet Designs? Paul Robertson (Feb 23)
    - RE: Sources for Extranet Designs? Marcus J. Ranum (Feb 23)
    - RE: Sources for Extranet Designs? Marcus J. Ranum (Feb 23)
    - Re: Sources for Extranet Designs? Dragos Ruiu (Feb 23)
  - Re: Sources for Extranet Designs? George Capehart (Feb 24)
- RE: Sources for Extranet Designs? Baumann, Sean C. (Feb 23)

(Thread continues...)