Firewall Wizards mailing list archives

RE: monitoring and controlling servers on internet segme nt

From: Yinal Ozkan <Yinal.Ozkan () Integralis Com>
Date: Tue, 4 May 2004 09:19:11 -0400

Hi Shimon,
That is why you have DMZs.  Yes it is not a good idea to not to open inbound
traffic. Actually it is not good to open any traffic from outside. On the
other hand, an intermediary server on the untrusted network is vulnerable as
other hosts. 

A better approach is the locate the intermediary server on a different DMZ
protected by the firewall. This setup will protect the intermediary from any
exploit that does not use the monitoring traffic (e.g. sasser) And also, if
this host is ever compromised (which is possible) after internet hosts, your
trusted network will be behind the firewall.

cheers,
- yinal

Yinal OZKAN 

INTEGRALIS 
http://www.integralis.com
1-877-557-1475




-----Original Message-----
From: Shimon Silberschlag [mailto:shimons () bll co il]
Sent: Tuesday, May 04, 2004 5:53 AM
To: firewall-wizards () honor icsalabs com
Subject: [fw-wiz] monitoring and controlling servers on internet segment


Lets say that a client have various servers on an internet segment, which is
separated from the internal network with a firewall.
The client wants to have an agent reporting various events back to the
management center, which is on the internal net. The protocol in use uses
fixed ports, and is encrypted with mutual authentication between machines.
The client does not want to open up all servers to the internal net, so he
puts an intermediary server on the internet segment, which gets the reports
from all internet servers, and pushes them to the management center on the
inside. There is no option to poll the intermediary.
The only other option is to install a separate management center for the
internet segment, with the associated costs in purchase and maintenance.

Would using such a setup (the intermediary one) constitute good, bad or best
practice?


Shimon Silberschlag

+972-3-9351572
+972-51-207130


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


Please note that:
 
1. This e-mail may constitute privileged information. If you are not the intended recipient, you have received this 
confidential email and any attachments transmitted with it in error and you must not disclose, copy, circulate or in 
any other way use or rely on this information.
2. E-mails to and from the company are monitored for operational reasons and in accordance with lawful business 
practices.
3. The contents of this email are those of the individual and do not necessarily represent the views of the company.
4. The company does not conclude contracts by email and all negotiations are subject to contract.
5. The company accepts no responsibility once an e-mail and any attachments is sent.

http://www.integralis.com

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

RE: monitoring and controlling servers on internet segme nt Yinal Ozkan (May 04)
- Re: monitoring and controlling servers on internet segment Shimon Silberschlag (May 04)
- <Possible follow-ups>
- RE: monitoring and controlling servers on internet segme nt Richard . Bertolett (May 04)
  - Re: monitoring and controlling servers on internet segment Patrick Giagnocavo +1.717.201.3366 (May 04)