RE: EDI (AS2) Configuration

["Paul Melson" <pmelson () gmail com>]

-----Original Message-----
Subject: [fw-wiz] EDI (AS2) Configuration

> They claim that there is enough security in the application to prevent
abuse of the 
> server/network.

What an arrogant way to try and dismiss the fact that their product lacks
the flexibility to be deployed across a firewall DMZ.  You're wise to beware
of these jokers.


> I'd appreciate any info anyone can offer on implementing this type of app
(AS2-based EDI).  
> Do I have these configurations ranked appropriately (from a network
security perspective)?  
> Are there configurations I'm not considering?  Is it fair to say that
configuration #3 is a > "worst-case" scenario (from a network security
perspective)?

Depending on the specific of the products and how granular the controls of
your reverse proxy are (and how fastidious you are about configuring them),
that may actually be the more secure way to deploy.  But maybe that's just
me not wanting to trust vendors. :)

If done properly, AS2 shouldn't be that big of a security headache to
deploy.  Use your firewall to control and log access to the AS2 service from
only addresses given by business partners for the purpose of EDI.  Enforce
the use of S/MIME signing and encrypting of EDI messages and signing of
MDN's and turn on audit logging in the EDI application.  That should get you
to a reasonable level of exposure with appropriate accountability.  Anything
extra you do - like using a reverse proxy to restrict HTTP requests only to
the secure-enough AS2 application running on the vendor's secure-enough web
server - is to get yourself in line with your own risk analysis.

PaulM

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards