Re: Access to internal resources

["Paul D. Robertson" <paul () compuwar net>]

On Tue, 22 Jun 2004, Nathan Casey wrote:

> We have SQL data which can currently be viewed on our internal Intranet
> by select employees. Access to the SQL data site is controlled by NTFS
> permissions. Now, we are required to make the same SQL data available
> over the internet to the same group of people that have internal access.
> Our external web server is in a PIX DMZ separate from our internal
> network. Would it be possible to use MS ISA server to act as a reverse
> proxy to allow external users access SQL data in a browser over the
> public internet?

For read-only access, it's likely "better" to clone the data and let them
access the data on a DMZ/Extranet machine with suitable authentication
(VPNs with auth work well.)

This gives several advantages- Internet users can't ever change the "real"
data, no matter what bugs are in the application, revocation issues aside,
it's difficult to deal with a compromise in a hotel or someone's house.
You get a 'backup database" should you have a hardware failure, which can
be a real lifesaver, and you can further lock down the writable database
system, and point internal users at the read-only copy too, and have real
separation.

I'd be wary of allowing external systems to use internal credentials to
access an internal production server, the failure modes are pretty bad,
but only you can make a real risk assessment on the value proposition.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards