Firewall Wizards mailing list archives
Re: segmentation of DMZs
From: Miles Sabin <miles () milessabin com>
Date: Fri, 15 Nov 2002 09:52:48 +0000
Shimon Silberschlag wrote,
Now, some folks here offer to further segment the infrastructure by having separate physical segments for presentation servers (WWW) that provide authenticated services (and hence have as audience a small subset of the internet crowd but do provide much more sensitive information) and those that are not authenticated (thus can serve the entire internet population).
I'd like to know some more details about this approach. In this kind of scenario, is the pre-authenticated part of the authentication dialog considered as part of the public service, or as part of the private service? ... ie. do clients login on the public server or on the private server? If it's part of the part of the public service, what would be the recommended mechanism for handing-off post-authentication to the private service? Also if it's part of the public service, presumably we still have some sensitive information present on the public server (eg. password hashes and whatever's needed to create an authentication token for the private service)? Alternatively, if it's part of the private service, then presumably the private service has to at least offer unauthenticated access to the authentication dialog. Granted the scope of unauthenticated access is dramatically reduced, but wouldn't this replicate (part of) the problem we're trying to solve? Cheers, Miles _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Mainframes on the Net? Don Kendrick (Nov 13)
- Re: Mainframes on the Net? Paul Robertson (Nov 13)
- Re: Mainframes on the Net? Barney Wolff (Nov 13)
- segmentation of DMZs Shimon Silberschlag (Nov 14)
- Re: segmentation of DMZs Paul D. Robertson (Nov 14)
- Re: segmentation of DMZs Carson Gaspar (Nov 14)
- Re: segmentation of DMZs Mikael Olsson (Nov 16)
- Re: segmentation of DMZs Carson Gaspar (Nov 17)
- Re: segmentation of DMZs Miles Sabin (Nov 15)
- RE: segmentation of DMZs Ofir Arkin (Nov 18)
- Re: Mainframes on the Net? Paul Robertson (Nov 13)
- Re: Mainframes on the Net? Lorens Kockum (Nov 14)
- <Possible follow-ups>
- RE: Mainframes on the Net? Scott, Richard (Nov 13)
- RE: Mainframes on the Net? Noonan, Wesley (Nov 13)
- RE: Mainframes on the Net? Desai, Ashish (Nov 14)
- RE: Mainframes on the Net? Paul D. Robertson (Nov 14)
- RE: Mainframes on the Net? ark (Nov 15)
- RE: Mainframes on the Net? Paul D. Robertson (Nov 15)
- RE: Mainframes on the Net? Gwendolynn ferch Elydyr (Nov 15)