Re: segmentation of DMZs

[Miles Sabin <miles () milessabin com>]

Shimon Silberschlag wrote,
> Now, some folks here offer to further segment the infrastructure by
> having separate physical segments for presentation servers (WWW) that
> provide authenticated services (and hence have as audience a small
> subset of the internet crowd but do provide much more sensitive
> information) and those that are not authenticated (thus can serve the
> entire internet population).

I'd like to know some more details about this approach.

In this kind of scenario, is the pre-authenticated part of the 
authentication dialog considered as part of the public service, or as 
part of the private service? ... ie. do clients login on the public 
server or on the private server?

If it's part of the part of the public service, what would be the 
recommended mechanism for handing-off post-authentication to the 
private service? Also if it's part of the public service, presumably we 
still have some sensitive information present on the public server (eg. 
password hashes and whatever's needed to create an authentication token 
for the private service)?

Alternatively, if it's part of the private service, then presumably the 
private service has to at least offer unauthenticated access to the 
authentication dialog. Granted the scope of unauthenticated access is 
dramatically reduced, but wouldn't this replicate (part of) the problem 
we're trying to solve?

Cheers,


Miles
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards