Firewall Wizards mailing list archives
RE: Sources for Extranet Designs?
From: "Baumann, Sean C." <Sean.Baumann () celera com>
Date: Mon, 23 Feb 2004 14:16:34 -0500
From: Wes Noonan [mailto:mailinglists () wjnconsulting com] Never grant access to your production network or resources
Wow, you read my mind. Great guess. The crux of my current issue is with allowing extranet partners access resources on my internal network. The problem is that we utilize "large" and expensive servers (think mainframe like) for most of our internal services. Those services would include your normal things like nfs, DBs, web servers, and custom applications (things that are not necessarily web based). I don't see us offering extranet partners NFS, but there have been requests to allow direct access to DBs and some non-web-based applications. How would you handle granting access to these? Web based, or java stuff, is no big deal. We generally front-end all of those connections using a web server in a DMZ, which is limited access to services residing on the "internal" network. However, what can you do for DBs and non-web-based apps. I've kicked around the idea of SOCKS, but I don't think a partner would like the idea of us requiring a SOCKS client. Here is a little background. We already have an extranet infrastructure, which is limited to branch-to-branch IPSEC VPNs. We, of course, firewall all traffic coming in to, or going out of, our "secure" extranet network. Connections are allowed to a group of web servers, which are front-ending some web apps. So I guess my specific questions are: 1.) If you say you should never allow access to resources on your protected or internal network, how do you handle giving access to services that reside on machines that cannot be duplicated (i.e. expensive mainframes)? 2.) Do most companies require routable address on their extranet? Currently we use RFC1918 address for our extranet, but we see that this will become a problem in the future as we add partners. Thanks, Sean _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Sources for Extranet Designs?, (continued)
- Re: Sources for Extranet Designs? Paul Robertson (Feb 22)
- RE: Sources for Extranet Designs? Baumann, Sean C. (Feb 23)
- RE: Sources for Extranet Designs? Paul Robertson (Feb 23)
- RE: Sources for Extranet Designs? R. DuFresne (Feb 23)
- RE: Sources for Extranet Designs? Wes Noonan (Feb 23)
- RE: Sources for Extranet Designs? Marcus J. Ranum (Feb 23)
- RE: Sources for Extranet Designs? Don Parker (Feb 23)
- RE: Sources for Extranet Designs? Behm, Jeffrey L. (Feb 23)
- RE: Sources for Extranet Designs? Wes Noonan (Feb 23)
- RE: Sources for Extranet Designs? Frederick M Avolio (Feb 23)
- RE: Sources for Extranet Designs? Baumann, Sean C. (Feb 23)
- RE: Sources for Extranet Designs? Wes Noonan (Feb 23)
- RE: Sources for Extranet Designs? Bob Alberti (Feb 23)
- RE: Sources for Extranet Designs? Wes Noonan (Feb 23)
- RE: Sources for Extranet Designs? Wes Noonan (Feb 23)
- RE: Sources for Extranet Designs? Daniel Linder (Feb 23)
- RE: Sources for Extranet Designs? Paul Robertson (Feb 23)
- RE: Sources for Extranet Designs? Marcus J. Ranum (Feb 23)
- RE: Sources for Extranet Designs? Marcus J. Ranum (Feb 23)
- Re: Sources for Extranet Designs? Dragos Ruiu (Feb 23)