Re: Prividing Intranet Website Access To External Users

[Brandon Kovacs <liljoker771 () gmail com>]

Or you could tunnel it with VPN


On Mon, 7 Feb 2005 11:38:37 -0600, Javier Otero De Alba
<jotero () smartekh com> wrote:
> If you want do this in cuple of days use Juniper Secure Access SSL, does all you want and implemets very fast.
> Visit www.juniper.net
>
> Ing. Fco. Javier Otero De Alba
> Diplomado en Seguridad Informática ITESM CEM
> ITStrap
> Product Manager
> 5243-4782 al 84 Ext.300
> México, D.F.
>
> -----Mensaje original-----
> De: rusty chiles [mailto:rustychiles () gmail com]
> Enviado el: Viernes, 04 de Febrero de 2005 06:17 p.m.
> Para: security-basics () securityfocus com
> Asunto: Prividing Intranet Website Access To External Users
>
> Greetings,
>
> I'm asking for reccomendations with the following Scenario:
>
> We have a internal intranet site. Users are authenticated using their
> nt credentials.
>
> We need to provide the site externally, translate the internal links
> to external links, and still pass their NT credentials to the website.
>
> MGMT wants to do this without vpn, or any other 3rd party software on
> the clients computer.
>
> The goal here is a single user sign on, so that the end user is
> presented with the same experience at home as they are at work.
>
> We WILL use SSL to protect the transportation of the userid and password.
>
> The web server is IIS on windows2003.
>
> The web server will be in the DMZ, and only port 443 will be allowed
> from the outside world.
>
> The problem is that webserver in the dmz will need to have the ability
> to talk to the domain controller, as well as a sql server.
>
> I prefer my resources be separated, and never have internal servers
> traverse the dmz, but in this case that is not possible due to a
> dependency on the website having tight integration with Active
> directory resources.
>
> We could put a sql box in the dmz, but a domain controller....... I
> don't feel comfortable doing that. One box in the dmz is compromised,
> then the DC is open to direct attack.
>
> If the box talks from the dmz to the internal Domain controller, we
> can acl the traffic so that it only talks over limited port numbers;
> however there is still some risk involved. (which we may have to
> accept)
>
> What experience have members of this list had with publishing their
> intranets to the internet in a secure manner.
>
> What has worked reliably, and still provided solid security.
>
> I've considered a SSL VPN type portal, ISA Server, and the like as
> well as several forwarding proxies, but am not 100% comfortable with
> any of the solutions I have seen thus far.
>
> Any reccomendations List members can make will be helpful to us.


-- 
-Brandon