Firewall Wizards mailing list archives
RE: EDI (AS2) Configuration
From: "Paul Melson" <pmelson () gmail com>
Date: Tue, 1 Nov 2005 09:35:51 -0500
-----Original Message----- Subject: [fw-wiz] EDI (AS2) Configuration
They claim that there is enough security in the application to prevent
abuse of the
server/network.
What an arrogant way to try and dismiss the fact that their product lacks the flexibility to be deployed across a firewall DMZ. You're wise to beware of these jokers.
I'd appreciate any info anyone can offer on implementing this type of app
(AS2-based EDI).
Do I have these configurations ranked appropriately (from a network
security perspective)?
Are there configurations I'm not considering? Is it fair to say that
configuration #3 is a > "worst-case" scenario (from a network security perspective)? Depending on the specific of the products and how granular the controls of your reverse proxy are (and how fastidious you are about configuring them), that may actually be the more secure way to deploy. But maybe that's just me not wanting to trust vendors. :) If done properly, AS2 shouldn't be that big of a security headache to deploy. Use your firewall to control and log access to the AS2 service from only addresses given by business partners for the purpose of EDI. Enforce the use of S/MIME signing and encrypting of EDI messages and signing of MDN's and turn on audit logging in the EDI application. That should get you to a reasonable level of exposure with appropriate accountability. Anything extra you do - like using a reverse proxy to restrict HTTP requests only to the secure-enough AS2 application running on the vendor's secure-enough web server - is to get yourself in line with your own risk analysis. PaulM _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: EDI (AS2) Configuration Paul Melson (Nov 02)