RE: Sources for Extranet Designs?

["Daniel Linder" <dan () linder org>]

Baumann, Sean C. said:
[snip...]
> but there have been requests to allow
> direct access to DBs and some non-web-based applications.  How would you
> handle granting access to these?

Is there such thing as a SQL front end proxy?  I would think with more
security devices employing "layer 8" (yeech, marketing speak) filtering a
SQL security proxy that could be programmed with limits such as
databases/tables/columns, number of rows returned, etc this might be a
good first line of defense...

> So I guess my specific questions are:
> 1.) If you say you should never allow access to resources on your
> protected or internal network, how do you handle giving access to
> services that reside on machines that cannot be duplicated (i.e.
> expensive mainframes)?

Does the data have to be real-time, or can pre-programmed batch jobs be
kicked off to generate the data for the customer?  Can your big back-end
server database be partially replicated to a "disposable" hardened middle
server?

> 2.) Do most companies require routable address on their extranet?
> Currently we use RFC1918 address for our extranet, but we see that this
> will become a problem in the future as we add partners.

The easiest way is to use "real" Internet addressable IP addresses, but
that can be kind of a waste if you don't already have them sitting
around...

The RFC1918's are about the easiest to implement if you can do some sort
of NAT'ing between sites.  If both of your internal systems reside on
conflicting ranges, you can setup the router on your end of the network to
NAT all traffic to the customer equipment.  Then, the customer equipment
only sees a handfull of IP addresses in a non-conflicting range that it
has to respond to.

-- 
Daniel Linder

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards