Firewall Wizards mailing list archives
Re: Access to internal resources
From: "Paul D. Robertson" <paul () compuwar net>
Date: Tue, 22 Jun 2004 11:17:34 -0400 (EDT)
On Tue, 22 Jun 2004, Nathan Casey wrote:
We have SQL data which can currently be viewed on our internal Intranet by select employees. Access to the SQL data site is controlled by NTFS permissions. Now, we are required to make the same SQL data available over the internet to the same group of people that have internal access. Our external web server is in a PIX DMZ separate from our internal network. Would it be possible to use MS ISA server to act as a reverse proxy to allow external users access SQL data in a browser over the public internet?
For read-only access, it's likely "better" to clone the data and let them access the data on a DMZ/Extranet machine with suitable authentication (VPNs with auth work well.) This gives several advantages- Internet users can't ever change the "real" data, no matter what bugs are in the application, revocation issues aside, it's difficult to deal with a compromise in a hotel or someone's house. You get a 'backup database" should you have a hardware failure, which can be a real lifesaver, and you can further lock down the writable database system, and point internal users at the read-only copy too, and have real separation. I'd be wary of allowing external systems to use internal credentials to access an internal production server, the failure modes are pretty bad, but only you can make a real risk assessment on the value proposition. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Access to internal resources Nathan Casey (Jun 22)
- Re: Access to internal resources Paul D. Robertson (Jun 22)