Firewall Wizards mailing list archives
RE: Sources for Extranet Designs?
From: "Daniel Linder" <dan () linder org>
Date: Mon, 23 Feb 2004 14:33:56 -0600 (CST)
Baumann, Sean C. said: [snip...]
but there have been requests to allow direct access to DBs and some non-web-based applications. How would you handle granting access to these?
Is there such thing as a SQL front end proxy? I would think with more security devices employing "layer 8" (yeech, marketing speak) filtering a SQL security proxy that could be programmed with limits such as databases/tables/columns, number of rows returned, etc this might be a good first line of defense...
So I guess my specific questions are: 1.) If you say you should never allow access to resources on your protected or internal network, how do you handle giving access to services that reside on machines that cannot be duplicated (i.e. expensive mainframes)?
Does the data have to be real-time, or can pre-programmed batch jobs be kicked off to generate the data for the customer? Can your big back-end server database be partially replicated to a "disposable" hardened middle server?
2.) Do most companies require routable address on their extranet? Currently we use RFC1918 address for our extranet, but we see that this will become a problem in the future as we add partners.
The easiest way is to use "real" Internet addressable IP addresses, but that can be kind of a waste if you don't already have them sitting around... The RFC1918's are about the easiest to implement if you can do some sort of NAT'ing between sites. If both of your internal systems reside on conflicting ranges, you can setup the router on your end of the network to NAT all traffic to the customer equipment. Then, the customer equipment only sees a handfull of IP addresses in a non-conflicting range that it has to respond to. -- Daniel Linder _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Sources for Extranet Designs?, (continued)
- RE: Sources for Extranet Designs? Wes Noonan (Feb 23)
- RE: Sources for Extranet Designs? Marcus J. Ranum (Feb 23)
- RE: Sources for Extranet Designs? Don Parker (Feb 23)
- RE: Sources for Extranet Designs? Behm, Jeffrey L. (Feb 23)
- RE: Sources for Extranet Designs? Wes Noonan (Feb 23)
- RE: Sources for Extranet Designs? Frederick M Avolio (Feb 23)
- RE: Sources for Extranet Designs? Baumann, Sean C. (Feb 23)
- RE: Sources for Extranet Designs? Wes Noonan (Feb 23)
- RE: Sources for Extranet Designs? Bob Alberti (Feb 23)
- RE: Sources for Extranet Designs? Wes Noonan (Feb 23)
- RE: Sources for Extranet Designs? Wes Noonan (Feb 23)
- RE: Sources for Extranet Designs? Daniel Linder (Feb 23)
- RE: Sources for Extranet Designs? Paul Robertson (Feb 23)
- RE: Sources for Extranet Designs? Marcus J. Ranum (Feb 23)
- RE: Sources for Extranet Designs? Marcus J. Ranum (Feb 23)
- Re: Sources for Extranet Designs? Dragos Ruiu (Feb 23)
- RE: Sources for Extranet Designs? Wes Noonan (Feb 23)
- RE: Sources for Extranet Designs? Frederick M Avolio (Feb 23)
- RE: Sources for Extranet Designs? Marcus J. Ranum (Feb 23)
- Plumbers... was Re: Sources for Extranet Designs? Gary Flynn (Feb 24)