Security Basics mailing list archives
RE: Prividing Intranet Website Access To External Users
From: <Steve.Cummings () barclayscapital com>
Date: Thu, 10 Feb 2005 08:22:40 -0000
Stronghold from redhat would be a good fit Regards Steve Cummings Web Services Barclays Capital
*Direct: +44 (0) 207 773 4245 * E-Mail: steve.cummings () barclayscapital com
-----Original Message----- From: Gabriel Orozco [mailto:gabriel_orozco () mx sumida com] Sent: 07 February 2005 19:10 To: rusty chiles; security-basics () securityfocus com Subject: Re: Prividing Intranet Website Access To External Users I would install a reverse proxy, like apache, just connect to the internal web server and the firewall filter every other traffic. ----- Original Message ----- From: "rusty chiles" <rustychiles () gmail com> To: <security-basics () securityfocus com> Sent: Friday, February 04, 2005 6:16 PM Subject: Prividing Intranet Website Access To External Users
Greetings, I'm asking for reccomendations with the following Scenario: We have a internal intranet site. Users are authenticated using their nt credentials. We need to provide the site externally, translate the internal links to external links, and still pass their NT credentials to the website. MGMT wants to do this without vpn, or any other 3rd party software on
the clients computer. The goal here is a single user sign on, so that the end user is presented with the same experience at home as they are at work. We WILL use SSL to protect the transportation of the userid and password. The web server is IIS on windows2003. The web server will be in the DMZ, and only port 443 will be allowed from the outside world. The problem is that webserver in the dmz will need to have the ability
to talk to the domain controller, as well as a sql server. I prefer my resources be separated, and never have internal servers traverse the dmz, but in this case that is not possible due to a dependency on the website having tight integration with Active directory resources. We could put a sql box in the dmz, but a domain controller....... I don't feel comfortable doing that. One box in the dmz is compromised, then the DC is open to direct attack. If the box talks from the dmz to the internal Domain controller, we can acl the traffic so that it only talks over limited port numbers; however there is still some risk involved. (which we may have to accept) What experience have members of this list had with publishing their intranets to the internet in a secure manner. What has worked reliably, and still provided solid security. I've considered a SSL VPN type portal, ISA Server, and the like as well as several forwarding proxies, but am not 100% comfortable with any of the solutions I have seen thus far. Any reccomendations List members can make will be helpful to us.
------------------------------------------------------------------------ For more information about Barclays Capital, please visit our web site at http://www.barcap.com. Internet communications are not secure and therefore the Barclays Group does not accept legal responsibility for the contents of this message. Although the Barclays Group operates anti-virus programmes, it does not accept responsibility for any damage whatsoever that is caused by viruses being passed. Any views or opinions presented are solely those of the author and do not necessarily represent those of the Barclays Group. Replies to this email may be monitored by the Barclays Group for operational or business reasons. ------------------------------------------------------------------------
Current thread:
- Prividing Intranet Website Access To External Users rusty chiles (Feb 07)
- Re: Prividing Intranet Website Access To External Users Gabriel Orozco (Feb 09)
- <Possible follow-ups>
- RE: Prividing Intranet Website Access To External Users Javier Otero De Alba (Feb 09)
- Re: Prividing Intranet Website Access To External Users Brandon Kovacs (Feb 09)
- RE: Prividing Intranet Website Access To External Users Depp, Dennis M. (Feb 09)
- RE: Prividing Intranet Website Access To External Users Javier Otero De Alba (Feb 10)
- RE: Prividing Intranet Website Access To External Users Steve.Cummings (Feb 10)